ClawHub

Rfp Response Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a proposal/RFP assistance skill whose sensitive inputs are expected for its purpose, but users should sanitize confidential procurement material before use.

Use this with redacted or approved proposal materials only. Remove confidential pricing, customer references, personal data, export-controlled content, and procurement-restricted information unless your organization has authorized sharing it with the agent environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation example invites users to paste or attach an RFP and company profile without defining trigger boundaries, scope limits, or prohibited inputs. In a procurement context, this can cause the skill to ingest sensitive solicitation material, internal pricing, proprietary capabilities, or regulated data more broadly than intended, increasing the chance of oversharing or misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README encourages submission of RFP documents and company profiles but provides no warning that these materials often contain sensitive procurement data, confidential business information, pricing, customer references, or personal data. Because the skill is specifically designed for high-stakes proposal work, this omission materially increases the risk of accidental disclosure, noncompliant handling of procurement data, and downstream leakage into generated outputs or connected systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal