ClawHub

Contractor Marketing Cowork Plugin

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate contractor marketing assistant, but it can act on live business accounts and store sensitive business data without consistent approval boundaries.

Install only if you are comfortable giving an agent marketing-operations access to real contractor business accounts. Use a dedicated browser profile, least-privilege account access, and keep business-profile.md private. Review and explicitly approve every post, review reply, email import, sequence activation, ad campaign, budget change, and scheduled task before it goes live; prefer pasted exports and draft-only workflows where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (19)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file documents broad access to third-party services, including ad platforms, social media accounts, analytics, CRMs, and customer/job records, and explicitly states that browser automation may be used when direct connectors are unavailable. Without clear user-consent boundaries, privacy warnings, or action-scope limitations, this creates a real risk of the agent accessing sensitive account data or performing account-impacting actions on behalf of the user unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes automated generation, scheduling, and in some cases publishing of marketing content without clearly warning users about review requirements, privacy considerations, or the risk of unintended external actions. In this skill context, the commands are explicitly designed to act on business data and public-facing channels, so omission of safeguards can lead to accidental disclosure of customer information, reputational damage, or unauthorized publication.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly advertises generating and publishing content plus using direct integrations or browser automation against third-party platforms, but it provides no warning that these actions may post publicly, spend ad budget, modify business profiles, or otherwise affect external accounts. In an agent setting, that omission is risky because users may invoke commands assuming they are advisory-only, while the skill design suggests real-world side effects across connected services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The embedded Strategy Library example includes a live external API endpoint and API key, while omitting any privacy notice about data being sent off-platform or guidance on what user/business information is safe to transmit. This creates a real risk of unintentional disclosure of sensitive marketing, customer, or business data to a third-party service and normalizes direct external calls from the skill without consent boundaries.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger condition for browser-driven campaign creation is based on very broad natural-language phrases like "set it up" or "create the campaign," which can be mentioned incidentally during normal discussion rather than as an explicit authorization to take action. In a skill that can open advertising platforms and begin operational setup, this creates an unsafe ambiguity boundary between content generation and external side effects, increasing the chance of unintended automation.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase "set it up" is overly broad for an automation-capable skill that opens third-party services and configures email campaigns. In normal conversation, a user could say that phrase ambiguously and unintentionally authorize browser actions, leading to unintended account changes or campaign setup in Mailchimp/MailerLite.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to import a customer CSV into a third-party email platform without requiring explicit consent, data sensitivity review, or validation that the contacts may legally be uploaded and marketed to. Because this involves customer personal data and external services, the lack of privacy safeguards increases the risk of unauthorized disclosure, compliance violations, and accidental misuse of recipient data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to publish directly to the user's Google Business Profile by navigating the site and clicking "Post," but it does not require an explicit warning that this creates a public-facing business post. Because the command also says to "optionally publish" and then "Confirm to user that it was published," an agent could take a real external account action without a clear, separate confirmation step immediately before publication, increasing the chance of accidental public posting.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly tells the agent to read the user's business profile and to 'ask once and remember' equipment cost data, which creates implicit retention of potentially sensitive business information without notice, consent boundaries, or data-minimization rules. In a business-financial workflow, this can expose proprietary pricing, cost structure, staffing, and operational details to unintended persistence or reuse across contexts.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger condition is vague enough that the command could activate on loosely matched user input and generate follow-up messaging for the wrong contact or context. In a workflow that reads business profile and prepares CRM/Twilio-ready outreach, ambiguous triggering increases the risk of unauthorized or mistaken communications to leads, which can create privacy, compliance, and reputational issues.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill prepares SMS and email content explicitly for CRM or Twilio use but omits safeguards around consent, opt-out handling beyond a narrow case, data minimization, and jurisdiction-specific messaging rules. Because this is operational marketing outreach content for real leads, the missing privacy and communications compliance warnings make accidental spam, misuse of personal data, or unlawful contact more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The onboarding flow collects a large amount of sensitive business and personal information, including phone number, email, physical address, employee names and roles, licensing/insurance details, software stack, and payment methods, then instructs saving it to a plaintext file in the current directory without any warning, minimization, or consent step. This creates unnecessary exposure of sensitive data at rest, especially in shared workspaces, synced folders, source repositories, or agent environments where files may be reused automatically by other commands.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly advertises that it can post responses directly via computer use, which creates a real risk of unintended modification of public business data if the agent proceeds from a casual user request without a clear safety gate. In this context, publishing customer-review replies is an external side effect with reputational consequences, so the absence of an explicit warning and approval flow makes the capability materially risky.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The publishing workflow instructs the agent to log into the live business reviews interface, locate reviews, paste responses, and submit them, but it contains no explicit confirmation checkpoint immediately before each live post. This is dangerous because a mistaken parse, wrong review match, or poorly worded response could be publicly published at scale, causing reputational harm and making rollback difficult.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The scheduling trigger is defined by very broad natural-language phrases like "schedule them" or "put them in Buffer," which can be matched unintentionally in ordinary conversation or quoted text. Because the skill then initiates browser-driven actions in external publishing tools, an accidental trigger could cause unauthorized or premature posting activity on the user's connected social accounts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The command explicitly offers to pull data from Google Search Console, GA4, Meta Ads, and Google Ads via computer use, which can involve access to authenticated business accounts and sensitive marketing data. Without an explicit warning, consent step, or scope limitation, users may unknowingly authorize account interactions or expose business performance data, increasing privacy and account-access risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation description includes broad trigger terms like 'email,' 'leads,' 'follow-up,' and 'CRM,' which are common in many unrelated business conversations. This can cause the skill to activate unintentionally, exposing users to irrelevant automation guidance and increasing the chance that the agent applies marketing workflows in the wrong context.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation description uses broad conversational triggers like proposals, estimates, job costs, margins, pricing, or profitability without clear boundaries or disambiguation. This can cause the skill to activate in loosely related contexts, leading to unintended behavior, prompt-scope expansion, or interference with other skills handling financial or operational discussions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation text uses broad everyday terms like "social media," "Instagram," "Facebook," "reviews," and "content," which can cause the skill to trigger in situations where the user is not actually asking for this contractor-specific marketing behavior. Unintended invocation can inject irrelevant or misleading guidance into unrelated tasks and may expose the agent to prompt-routing manipulation when common terms are mentioned incidentally.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal