ClawHub

平安保险顾问助手

Security checks across malware telemetry and agentic risk

Overview

This insurance advisor skill is purpose-aligned, but it needs review because it handles and exports sensitive health, identity, and financial data without enough privacy or retention controls.

Install only if you can enforce your own customer privacy process. Before using it with real clients, obtain explicit consent, collect only necessary fields, avoid unnecessary identifiers or raw medical details, verify Feishu sharing permissions, and define retention and deletion rules for customer archives and generated reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill is designed to collect highly sensitive personal, health, family, and financial information during KYC and underwriting-style questioning, but it does not instruct the assistant to give a clear privacy notice or obtain informed consent before collection starts. In this context, users may disclose special-category data without understanding retention, sharing, or downstream use, increasing the risk of privacy harm and regulatory noncompliance.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the assistant to generate Feishu/PDF reports containing customer insurance analysis, but it does not require a warning that sensitive customer data may be written into third-party document systems or exported for transmission. Because the reports include health, family, and financial details, external document creation materially increases exposure through sharing links, platform retention, misdelivery, and access-control mistakes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The SOP directs collection of extensive sensitive personal, financial, and health information, including medical history and family disease history, but provides no guidance on consent, minimization, lawful basis, access control, or secure handling. In an insurance context, this data is highly sensitive and could cause serious privacy harm, discrimination, fraud, or regulatory violations if mishandled or over-collected.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document instructs staff to establish customer archives containing health disclosure records, policy summaries, and communication records, yet omits any retention limits, protection standards, or confidentiality controls. Centralizing this volume of sensitive data without storage and lifecycle safeguards increases the risk of unauthorized access, leakage, insider misuse, and noncompliance.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly tells the assistant to summarize collected sensitive information back to the user and include it in a generated report, including age, health status, family context, budget, and analysis outputs. Reproducing and packaging sensitive data increases the chance of overexposure, accidental disclosure to the wrong recipient, and creation of durable records that outlive the original conversation.

Ssd 3

Medium
Confidence
98% confidence
Finding
The example JSON and report-generation flow encourage assembling detailed customer dossiers that combine health history, family history, income, debt, marital status, and insurance status into shareable documents. This concentration of special-category and financial data in a portable format significantly raises the severity of any accidental sharing, unauthorized access, or downstream misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal