ClawHub

Crm Manager

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local CSV CRM skill that saves contact and deal data on disk as advertised, with no hidden network, credential, or destructive behavior found.

Use this skill only in a workspace where it is acceptable to keep CRM contact details, notes, deal values, and backups in local files. Be explicit when asking it to add, update, or move contacts, review bulk changes before accepting them, and treat the promoted extra skills or context-pack links as separate items to evaluate before installing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README says the skill manages contacts in a local CSV file but does not clearly warn users that potentially sensitive personal and business data will be persisted to disk. In a CRM context this matters because users may enter names, notes, deal values, and follow-up details assuming transient processing, leading to unintended retention, local exposure, or compliance issues on shared or unmanaged systems.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The command patterns are very broad and could activate on ordinary CRM-related requests without clear confirmation that the user intends file modification. In this skill, broad activation is risky because several commands lead directly to reading and updating a local CSV, so an ambiguous request could cause unintended data changes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to create and modify a local CRM file but does not clearly warn users that normal operations will persist changes to workspace data or that backups are advisable before routine edits. Because this is a business data store, accidental writes, overwrites, or malformed updates could affect contact records and pipeline state.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal