ClawHub

Hvac Operations

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only HVAC workflow skill, but it should be used carefully with customer data and outbound messaging.

Before using this with real customer records, require human approval for outbound messages, verify consent and opt-out status, limit exported fields and technician notes to the minimum necessary, and avoid review-gating practices that could violate platform policies or advertising rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly promotes automated customer outreach, renewal tracking, review generation, and follow-up workflows, but provides no warning about privacy, consent, or lawful handling of customer data. In an operational AI skill for HVAC contractors, this omission can encourage deployment of automations that process personal contact and service-history data without adequate safeguards, creating real compliance and trust risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to export customer lists, send automated emails/SMS/calls, and use review-management workflows without mentioning consent, opt-out handling, data minimization, or compliance requirements. In a business operations context this can lead to unauthorized processing of personal data, privacy violations, and unlawful marketing outreach under applicable rules such as TCPA/CAN-SPAM or similar local regulations.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The dispatch routine directs sending technicians job history and customer notes but does not limit what information may be shared or warn that notes may contain sensitive personal information. This creates unnecessary exposure of customer data to field staff and increases the risk of oversharing, misuse, or disclosure through mobile devices and informal communication channels.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal