ClawHub

Aivi Engagement

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for lead enrichment and outreach, but it handles phone-number PII and can launch real AI voice/SMS contact without enough prominent disclosure or confirmation controls.

Review this skill carefully before installing. Use it only if you are authorized to process the lead data, have consent and legal basis for outreach, understand that phone numbers and related lead attributes may be sent to AIVI, and can prevent accidental AI calls or SMS messages that may incur charges or violate outreach rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to submit phone numbers for lead scoring and qualification, but it does not clearly warn that those identifiers and related lead data will be transmitted to an external AIVI service for processing. Phone numbers are sensitive personal data in many contexts, and the skill also references enrichment outputs such as litigator status, income level, and property data, increasing privacy and compliance risk if users send data without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The launch_sequence capability can trigger outbound AI voice and SMS campaigns against leads, but the description does not present a prominent user warning that this action may contact real people and incur billable charges. Without a clear warning and confirmation step, users may unintentionally initiate communications that create financial, legal, and reputational exposure, especially in regulated outreach environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest explicitly advertises launching AI voice and SMS engagement sequences and enriching leads with phone validity, litigator checks, contactability, and economic indicators, but it does not clearly warn the user that lead PII will be transmitted to an external service and that the skill may initiate outbound contact. In a high-risk context like debt collection, healthcare, and financial services, this omission can cause unauthorized outreach, privacy violations, and regulatory exposure if an operator triggers the skill without informed consent or adequate review.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal