ClawHub

Annual Report Generator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only annual report template that asks for sensitive business data but shows no code execution, persistence, credential access, or data-sharing behavior.

Safe to install as a reporting aid, but use it only with company data you are authorized to share with your agent. Redact unnecessary customer, employee, payroll, and financial details, avoid regulated or non-public information unless your environment is approved for it, and fact-check the generated report before sending it to a board, investors, or the public.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "Generate our annual report" is broad enough that it could be invoked during ordinary business conversation rather than as an intentional skill activation. Because this skill processes highly sensitive financial, operational, and strategic data, accidental triggering could cause unnecessary exposure of confidential company information to the agent workflow or downstream systems.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly requests sensitive company information including revenue, expenses, customer metrics, headcount, and strategic milestones, but provides no warning about confidentiality, data handling, or sharing risks. This increases the chance that users will paste regulated, non-public, or commercially sensitive data into an agent without understanding retention, access, or transmission implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal