ClawHub

Event Management

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only event-planning skill with useful templates, but users should apply privacy controls before sharing attendee information.

Safe to install as an instruction-only planning aid. Before using the sponsor-package or no-show templates, replace attendee-list sharing with opt-in-only or aggregated/anonymized information, disclose any sharing during registration, limit fields shared, and check applicable privacy and email-compliance rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill defines broad natural-language triggers such as 'Plan an event' that can match very common user requests without meaningful scoping or confirmation. This can cause the skill to activate unexpectedly, override more appropriate handling, and increase the chance that users are steered into this workflow even when they did not intend to invoke the event-management skill.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The listed invocation patterns are numerous, generic, and lack trigger constraints, making accidental activation likely across a wide range of ordinary planning or writing requests. In an agent ecosystem, underspecified triggers can create prompt-routing confusion, causing this skill to intercept unrelated tasks and produce unintended behavior or data handling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The sponsorship package offers 'Attendee list: Full' access without any privacy warning, consent requirement, or restriction on what attendee data may be shared. This creates a real risk of unauthorized disclosure of personal information to sponsors, potentially violating privacy laws, user expectations, and internal data-handling policies.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Suggesting an 'attendee list preview' as a no-show reduction tactic normalizes sharing participant identities without explaining consent, minimization, or privacy implications. Even a preview can expose personal or professional association data and may pressure organizers to disclose registrant information in ways attendees did not authorize.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal