ClawHub

Toingg Ops Toolkit

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates Toingg campaign, analytics, contact upload, and WhatsApp template workflows, but users should handle contacts, stored exports, and scheduled jobs carefully.

Install only if you want Claw to operate your Toingg account. Use the least-privileged Toingg token available, review campaign payloads and recipient lists before running scripts, upload only contacts you are authorized to message, avoid committing contact exports or analytics with personal data to broad shared storage, and enable the analytics cron only when you want daily background pulls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly supports converting Excel contact sheets into contact uploads and WhatsApp broadcasts, but it does not warn operators that names, phone numbers, and contextual fields are personal data being sent to an external third-party API. In an agent workflow, that omission can cause users or operators to disclose regulated or sensitive contact data without informed consent, appropriate approval, or data-handling safeguards.

Missing User Warnings

High
Confidence
96% confidence
Finding
The guidance to keep campaign payloads, analytics snapshots, and contact exports in version control or shared storage is dangerous because those artifacts may contain phone numbers, campaign scripts, operational metadata, analytics, or other sensitive business and personal data. Recommending broad persistence without qualification increases the chance of long-term overexposure, accidental sharing, unauthorized access, and retention beyond business or legal necessity.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to upload contact data, including names and phone numbers, to an external service but provides no privacy, consent, retention, or data-handling warning. This creates a real risk of unauthorized disclosure or non-compliant processing of personal data, especially because the workflow operationalizes bulk contact ingestion.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow provides direct instructions for sending WhatsApp templates to uploaded contacts and even highlights a resend option, but does not warn about outbound messaging consent, opt-out handling, rate limits, or abuse/spam risk. In context, this enables operational misuse of a bulk messaging feature against real contacts, increasing the likelihood of harassment, policy violations, or unauthorized communications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal