ClawHub

Email Marketing Engine

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only email marketing playbook with no code, credentials, or hidden execution behavior, though users should apply legal and consent checks before using its cold-outreach guidance.

Use this as advisory marketing material, not as permission to contact people. Before using cold outreach or list audits, confirm your contact source, consent or lawful basis, unsubscribe handling, and the rules for each recipient region and email platform.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The quick-start prompts are very broad and can trigger outreach, auditing, and content-generation behavior without clear scope, authorization, or safety boundaries. In a skill explicitly focused on email marketing and cold outreach, this increases the chance an agent will perform privacy-sensitive or potentially non-compliant actions on real people or datasets without requiring user confirmation or lawful-use checks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes cold outreach and email list auditing but provides no warnings or gating around consent, privacy, or legal compliance at the point of use. Because these capabilities can involve personal data processing, unsolicited contact, and compliance-sensitive behavior, the lack of guardrails makes misuse more likely and more dangerous in this specific skill context.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill exposes very broad natural-language commands such as writing cold emails, generating DNS records, and checking compliance without any invocation constraints, confirmation gates, or scope limits. In an agent setting, this can enable unintended execution of high-impact marketing or outreach workflows from ambiguous user input, including actions related to cold outreach and compliance-sensitive messaging.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal