ClawHub

Gtm System

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real GTM tracker, but it needs review because it can access live CRM data through Doppler/HubSpot and uses an embedded Exa API key without clear disclosure.

Install only if you are comfortable reviewing and controlling the integrations first. Remove or rotate the embedded Exa key, disable or gate HubSpot sync unless you intend to grant CRM access, confirm where Telegram digests go, and protect or back up the local SQLite database because it can contain contact, deal, and interaction history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Tainted flow: 'req' from os.environ.get (line 509, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

            try:
                with urllib.request.urlopen(req, timeout=15) as response:
                    data = json.loads(response.read().decode())
            except (urllib.error.URLError, json.JSONDecodeError) as e:
                print(f"  ⚠️ Exa query failed: {e}")
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=15) as response:

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The tool quietly gains access to HubSpot credentials through an external Doppler subprocess, which expands its privilege boundary beyond what a simple GTM tracker CLI suggests. In agent or shared execution environments, this can unexpectedly pull live production secrets and enable access to sensitive CRM data.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code embeds a default Exa API key and enables external search capability without requiring user configuration. Hardcoded service credentials are dangerous because anyone with code access can reuse the key, incur costs, and potentially tie abusive activity back to the owner.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The quick-start instructions encourage users to add contacts, opportunities, reminders, and interaction logs, but do not disclose that this user-provided business and personal data is persisted to a local SQLite database. This creates a transparency and privacy risk: users may enter sensitive prospect or contact information without realizing it will be stored on disk and potentially retained, backed up, or exposed to other local users/processes.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README explicitly promotes querying pipeline status, follow-ups, contacts, and notes through Telegram, but provides no warning that this may transmit sensitive business and personal data through a third-party messaging platform. In a GTM/CRM-style system, this can expose contact details, deal status, and internal business context to Telegram chats, bots, logs, notifications, or compromised accounts, making the omission security-relevant rather than purely informational.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly recommends collecting developer/product signals, website visitor identification, and ingesting third-party webhooks into a custom GTM system, but provides no guidance on consent, lawful basis, retention, minimization, or access controls. In a sales-intelligence context, this can lead to deployment of privacy-invasive tracking and storage practices that expose the organization to regulatory, contractual, and trust risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs users to run multiple state-changing commands against a live SQLite database, such as adding contacts, creating opportunities, moving stages, logging interactions, and completing reminders, but gives no warning that these operations persist changes or may be hard to undo. In an agent setting, this increases the risk of accidental modification or corruption of business data because the skill encourages operational actions directly from natural-language requests without confirmation safeguards.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The crawling commands are presented as routine operations without noting that they initiate network access to external sources and may import untrusted external data into the GTM system. In an agent workflow, this is dangerous because it can trigger unexpected outbound connections, pull in manipulated content, and change local state by creating or influencing tracked signals without the user understanding those side effects.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The plan explicitly directs building prospect lists with names, LinkedIn profiles, and email addresses from third-party sources and launching cold-email outreach, but provides no privacy, consent, CAN-SPAM/GDPR/CCPA, or internal policy guardrails. In an agent skill context, this can operationalize large-scale collection and use of personal contact data for unsolicited outreach, creating legal, compliance, and reputational risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Exa requests transmit curated GTM search queries and content snippets to a third party without any user-facing disclosure or consent workflow. In business contexts, these queries can reveal strategy, target markets, customer pain points, or internal research priorities even if they do not contain traditional secrets.

Missing User Warnings

High
Confidence
94% confidence
Finding
The HubSpot sync pulls and processes contact PII and engagement metadata using production credentials without meaningful disclosure, confirmation, or permission boundaries. In a shared or agent-driven environment, this can expose real customer data and violate privacy, compliance, or least-privilege expectations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal