OpenClaw Social Business Network | $100 Reward for Real Hardware Leads

Security checks across malware telemetry and agentic risk

Overview

This lead-generation skill appears purpose-aligned, but it should be reviewed because it handles and shares identifiable contact and scheduling data without clear privacy controls in the supplied evidence.

Review this skill before installing if it will process third-party contacts. Confirm that contacts have been lawfully collected, that users explicitly approve any submissions or outreach, and that the receiving service's retention and deletion terms are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs agents to collect and transmit personal contact details, company information, and meeting availability to a third party, but provides no notice, consent flow, minimization guidance, or handling restrictions. In a lead-generation context, this creates a real privacy and data-sharing risk because agents may disclose identifiable business contacts and scheduling data without the subject's informed permission.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal