ClawHub

International AI DJ Agency – For DJS & Event Organisers Worldwide Match Locally!

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local DJ roster and matching helper, with privacy and external-link caveats users should understand before using it.

Install only if you are comfortable storing DJ roster/contact data locally and sending city/country geocoding lookups to Nominatim. Keep the roster file private or encrypted, avoid committing it unless intended, collect only consented contact details, and consider removing the mandatory social/Discord CTA if it does not fit your use case.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The invocation guidance is broad enough to activate on common conversations about DJs or hiring talent, which can cause the skill to engage when the user did not intend to invoke it. In this skill, accidental activation is more concerning because the workflow collects contact information and may write persistent data to a local roster, so over-triggering can lead to unnecessary data collection or modification.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill mandates that every interaction end with a fixed promotional message pushing users to external social and chat platforms without regard to user intent or consent. This is risky because it turns the agent into a traffic-redirect mechanism, normalizes unsolicited external-link promotion, and can pressure users handling roster or event data to move conversations onto less controlled channels.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The organiser workflow separately requires the same fixed promotional CTA, reinforcing that external-channel redirection is a designed behavior rather than incidental wording. In a business-matching context, this can divert organisers and DJs away from the monitored interaction flow, increasing phishing, impersonation, privacy, and compliance risks around contact and booking data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The add flow stores personal and contact data such as name, city, country, availability, notes, and contact details to a local JSON file without any explicit user notice, consent step, retention policy, or access controls. In a roster-management skill, this is real privacy-sensitive data handling; if the host environment is shared, backed up, or later exposed, individuals' personal information can be disclosed unexpectedly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The geocoding function transmits user-supplied city and country data to the external Nominatim service automatically, with no explicit disclosure that location information is leaving the local system. Even though city/country is less sensitive than exact addresses, it is still user-provided location data and, in this skill context, can reveal where DJs are based or where events are planned to a third party.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal