ClawHub

OKR进度追踪大师

Security checks across malware telemetry and agentic risk

Overview

This documentation-only OKR tracking skill is purpose-aligned and discloses optional enterprise integrations, but users should verify data-flow details before connecting sensitive work accounts.

Before installing, confirm which integrations you enable, use least-privilege API tokens where possible, and treat OKR reports as sensitive enterprise data. The publisher should clarify whether integrations are read-only, whether reports are exported or shared, and what data is cached locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documentation claims data is only processed locally and not uploaded to third parties, yet the skill also states it synchronizes OKR data through external APIs such as Notion, Jira, Feishu/Lark, and Google Sheets. This is a material security/privacy misrepresentation that can cause users to expose sensitive enterprise performance data under false assumptions about network transfer and third-party handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description understates or obscures that using the integrations requires network transfers to external platforms, while simultaneously assuring users that data is not uploaded to third parties. For an enterprise OKR tool, this ambiguity is dangerous because the data may include sensitive organizational goals, staffing, and performance details, and users may not apply appropriate approval or data-governance controls.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal