ClawHub

Form Cro

Security checks across malware telemetry and agentic risk

Overview

This form-optimization skill is coherent and does not show harmful behavior, but users should apply privacy safeguards to any form analytics it recommends.

Safe to install for form audits and local HTML review. Before following its measurement advice, configure analytics to collect only necessary metadata, never raw field values or sensitive inputs, and follow your site's notice, consent, retention, and compliance requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broad enough to match many ordinary discussions about forms, including generic references to contact forms, checkout forms, and form fields. In an agentic routing system, this can cause unintended invocation, leading the assistant to switch into a specialized CRO workflow when the user may have meant general UX, analytics, implementation, or support guidance.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The proactive trigger activates form-cro whenever a demo request or contact page is being built, even if the user is focused on design, engineering, or content rather than conversion optimization. This creates over-invocation risk, which can derail task routing, introduce irrelevant recommendations, and reduce reliability of the broader skill-selection system.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The playbook recommends tracking detailed form interaction events such as field completion, errors, and submit attempts, but it does not mention data minimization, consent, or disclosure obligations. In a form-optimization context, these analytics can capture behavioral data and potentially sensitive user input patterns, creating privacy and compliance risk if implemented without notice, controls, or limits.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal