ClawHub

Beta Client Onboarding

Security checks across malware telemetry and agentic risk

Overview

This is a small instruction-only client onboarding skill whose email, document, and calendar references fit its stated purpose, but users should supervise sensitive client communications.

Before installing, make sure your agent has access only to the client records, email account, document system, and calendar it actually needs. Require human review before sending client-facing messages, requesting documents, or scheduling kickoff meetings, especially when handling confidential or regulated onboarding data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill says it is activated automatically when a new client engagement begins, but it does not define any concrete trigger boundaries, approval gates, or scope checks. Because this skill can send communications, track documents, and use calendar access, an overly broad activation condition could cause unintended actions on the wrong client, at the wrong time, or without explicit user review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description does not warn that it may handle client communications, onboarding documents, intake data, and calendar operations, all of which can involve sensitive business or personal information. Without clear warnings and handling expectations, operators may enable or invoke the skill without understanding the privacy, authorization, and misdelivery risks tied to these actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal