ClawHub

AfrexAI Lead Hunter Pro

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about being a sales automation tool, but it encourages autonomous prospect data collection, outreach, CRM updates, and recurring operation without enough approval or compliance controls.

Review before installing. Use this only with approved prospecting sources, documented legal basis, unsubscribe and suppression lists, strict sending limits, audit logs, and human approval before any outbound message or CRM write. Do not run the cron or autopilot routine until permissions, retention/deletion rules, and stop controls are defined.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes fully autonomous prospect discovery, enrichment, outreach, CRM actions, and cron-based operation without any accompanying safeguards, consent requirements, rate limits, review gates, or privacy/compliance warnings. In a lead-generation skill, this context makes the omission materially risky because it encourages agents to process personal/business contact data and perform external actions at scale with little human oversight.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly instructs autonomous collection, enrichment, storage, scoring, and outreach using identifiable professional contact data, but provides no privacy notice, consent model, lawful-basis guidance, retention limits, or safeguards around handling personal data. In a lead-generation skill, this omission is especially dangerous because the workflow operationalizes bulk profiling and contact enrichment at scale, increasing the risk of privacy violations, noncompliant scraping, and misuse of personal information.

Missing User Warnings

High
Confidence
97% confidence
Finding
The automation section directs the agent to autonomously run discovery, enrich leads, score them, send sequenced emails, update CRM records, and process replies with no approval checkpoint, outbound-action guardrail, or warning about data accuracy and messaging risk. In this context, the lack of human review makes erroneous or noncompliant outreach far more likely, and can amplify harm through spam, misdirected communications, reputational damage, and corrupted CRM data at scale.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal