ClawHub
Back to skill

Security audit

Company Scan

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed company-search helper that sends company screening criteria to an external 亿欧 API and returns structured results.

Install this if you want structured company screening from 亿欧 data. Avoid putting secrets or highly sensitive business plans into search terms, because queries are sent to an external API, and be aware results are temporarily written to a local file before display.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill mandates use whenever a request involves batch company lookup by industry, region, or financing status, without clear exclusion criteria or a narrower trigger boundary. This can cause over-invocation, routing ordinary research requests into a specialized workflow unnecessarily, increasing the chance of unintended tool use, irrelevant searches, or disclosure of user intent to external systems.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The repeated guidance reinforces mandatory activation but still does not define constraints, fallback behavior, or disambiguation steps. In practice, this ambiguity can make the orchestrator invoke the skill too often, reducing user control and potentially sending partially matched queries into a tool-backed search flow that the user did not intend.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The description specifies a Chinese-language behavior and China-focused enterprise scanning context without offering user choice or documenting that this locale restriction is intentional. While not directly enabling code execution or data exfiltration, it can create misleading routing behavior, exclude user preferences, and silently bias results toward one locale or language context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.