ClawHub

市场营销助手(Marketing Assistant)

Security checks across malware telemetry and agentic risk

Overview

This is a marketing workflow assistant with disclosed logging and archive behavior, but users should configure privacy and retention controls before using it with sensitive business materials.

Before installing, confirm who can access Feishu submissions, historical materials, audit logs, and archives. Avoid sending unnecessary personal or confidential customer data, require human review before publishing, and set clear retention, deletion, and redaction rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly accepts user messages and attachments, retrieves historical materials/knowledge bases, and logs/archives results, but the skill text provides no explicit user-facing notice about what data is collected, reused, retained, or who can access it. This creates a privacy and data-governance risk because users may submit sensitive marketing assets, customer data, or internal business materials without informed consent or clear handling boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The same pattern repeats across multiple workflows: user-submitted content and attachments are parsed, historical materials are retrieved, outputs are generated, and logs/archives are stored, yet there is still no explicit privacy disclosure or data-use limitation. Because this behavior is systematic across the skill, it increases the chance of over-collection, unintended reuse of proprietary content, and retention of sensitive business or personal information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal