ClawHub

Marketing Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This is a simple marketing-audit orchestration skill whose main risk is that it delegates work and possible API-key use to other collector skills.

Safe to install as an instruction-only orchestrator, but review the named collector and report-generator skills before use. Confirm what services they contact, what API keys they use, and whether sharing the target domain, Instagram handle, and raw audit data with those subskills is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill documentation explicitly says individual collector failures should not block the overall orchestration, but the pseudocode performs sequential awaited sub-skill calls with no per-call error handling. In practice, any collector or report-generator exception would terminate the workflow early, creating a denial-of-service/reliability weakness and making the behavior inconsistent with the stated contract.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill orchestrates multiple external collector/report skills and notes that the framework may supply API keys and environment-backed access to third-party services, but it does not clearly warn users that invoking this skill can trigger downstream external calls. This creates a transparency and consent problem: users may provide inputs without understanding that data may be sent to external services and billed credentials may be used by sub-skills.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal