ClawHub

marketing-ops

Security checks across malware telemetry and agentic risk

Overview

This appears to be a marketing helper/router skill with some broad trigger wording, but no artifact-backed evidence of hidden, destructive, or credential-seeking behavior.

Install if you want a marketing coordination skill, but be aware it may activate on broad writing or brainstorming prompts. Keep any marketing-context.md content limited to information you are comfortable using for marketing work, and confirm intent if the assistant starts routing a task that is not actually marketing-related.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
The skill instructs the agent to read a local file (`marketing-context.md`) but does not declare any permissions for file access. Undeclared file-read behavior is risky because it expands the skill's effective capabilities beyond what a reviewer or runtime policy may expect, which can lead to unintended local data exposure if similarly patterned instructions are reused for more sensitive files.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The description includes broad activation phrases such as 'marketing help,' 'what should I do next,' and 'coordinate marketing,' which can match vague everyday requests and cause overbroad skill invocation. Over-triggering is dangerous because it may steer unrelated user requests into a powerful routing/orchestration workflow, increasing the chance of inappropriate delegation, unnecessary context access, or confusing cross-domain actions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Several routing triggers are highly generic, including terms like 'brainstorm,' 'headline,' 'research and write,' and 'psychology,' without sufficient marketing-scoped constraints. In a router skill, this can cause accidental activation of downstream specialist skills for non-marketing tasks, creating misrouting, data oversharing between skills, and reduced user control over what capabilities are engaged.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal