ClawHub

Personal Crm

Security checks across malware telemetry and agentic risk

Overview

This Personal CRM is not malware, but it should be reviewed because it can automatically store casual relationship details and bulk-import contact data into Feishu/Lark with limited per-action confirmation.

Install only if you want an agent to save relationship details from normal conversation into Feishu/Lark. Use a dedicated Bitable and least-privilege Feishu app, review saved entries regularly, and avoid ADB phone sync or bulk imports unless you have confirmed exactly what will be uploaded.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill adds OCR via shelling out to tesseract, which expands it from CRM operations into local command execution and image processing of potentially sensitive personal data. This broadens attack surface and can process private screenshots without clear safety boundaries or permission disclosure.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
ADB-based phone contact extraction is an intrusive device-access feature that can pull large volumes of sensitive third-party contact data from a connected phone. This is substantially more dangerous than normal CRM use because it reaches into a user device and enables bulk collection well beyond what the skill description suggests.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill directs execution of a local Python import script on arbitrary user-supplied file paths, exceeding the stated CRM scope and introducing code-execution and file-access risk. Even if the script is benign, this pattern normalizes local execution for sensitive contact ingestion without clear guardrails.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The manifest omits import/export and device-ingestion features even though the body instructs the agent to perform them. That omission weakens transparency and prevents users from understanding that local files, screenshots, and phone data may be accessed and exported.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises automatic capture of relationship details from natural conversation, including birthdays, hobbies, preferences, and personal notes, but does not clearly warn users that sensitive third-party personal data may be stored as they chat. This creates a meaningful privacy and consent risk because users may enable the skill without realizing how broadly it collects and persists personal information about others.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The README states that one command will automatically create all required Bitable tables and fields, but it does not clearly warn that the skill will modify the user's Feishu/Lark workspace. While this is expected functionality, lack of disclosure can lead to surprising workspace changes, overbroad permissions acceptance, or accidental creation of data structures in the wrong tenant or account.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup guide asks for broad Bitable read/write access in a skill that stores sensitive personal relationship data such as birthdays, phone numbers, notes, and interaction history, but it does not warn users about the privacy implications or recommend least-privilege configuration. If the skill or its runtime is compromised, these permissions enable bulk access to and modification of highly sensitive personal data.

Vague Triggers

High
Confidence
94% confidence
Finding
The activation conditions are so broad that ordinary conversation about other people can trigger the skill, creating a high risk of collecting or inferring personal data without a deliberate save request. In a CRM context this is especially dangerous because the skill is designed to persist and organize sensitive relationship data over time.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly tells the agent to proactively capture and store personal information from casual conversation without a clear warning or explicit consent flow. This creates covert data collection risk involving both the user and third parties, including sensitive details like birthdays, relationships, and habits.

Missing User Warnings

High
Confidence
95% confidence
Finding
The import features pull sensitive contact data from local files, OCR, and phone contacts and then transmit it to Feishu, but the skill provides no clear privacy warning or consent model for third-party data handling. This significantly raises the chance of over-collection, unauthorized transfer, and privacy-law or policy violations.

Ssd 3

Medium
Confidence
92% confidence
Finding
Instructing the agent to save personal details from ordinary conversation without an explicit save request undermines user intent and informed consent. Because the stored data concerns identifiable people and relationship context, even routine conversation can become persistent records unexpectedly.

Ssd 3

High
Confidence
96% confidence
Finding
Automatic logging of stories and personal disclosures about other people without confirmation is a serious privacy issue, especially because the content may include sensitive life events, work changes, emotions, and future plans. Persisting such narratives to a remote CRM can expose third-party data far beyond what the speaker expected.

Ssd 3

High
Confidence
95% confidence
Finding
A general rule to actively update contact records whenever new personal information is mentioned creates persistent surveillance-like behavior within ordinary chat. In this skill's context, that is especially risky because updates may involve third-party employment, location, relationship, or milestone data and are sent to an external platform.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal