ClawHub

Growth Engineering Mastery

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only growth-marketing playbook; its privacy-sensitive analytics suggestions need care, but the skill itself does not execute code or request privileged access.

Install is reasonable as an advisory skill. Before acting on its analytics or lifecycle-marketing advice, review privacy laws and platform rules, honor opt-outs, avoid sensitive categories, and configure any analytics/session replay tools with masking, page exclusions, least-privilege access, and short retention.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly recommends using a user's actual usage data in re-engagement messaging, but it does not mention consent, transparency, lawful basis, or limits on sensitive behavioral profiling. In a growth-marketing skill, that omission is materially risky because practitioners may implement personalized outreach that violates privacy expectations or regulatory requirements, especially if the usage data reveals sensitive business or personal behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill recommends session recording tools as part of the analytics stack without any warning that these tools can capture typed input, credentials, financial details, health data, or other sensitive content if not carefully configured. In this context, the advice is more dangerous because it is presented as a default operational recommendation, increasing the chance that users deploy invasive tracking without masking, consent, access controls, or jurisdiction-specific compliance measures.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal