ClawHub

Lead Generation Pipeline

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid lead-generation API skill with privacy and cold-email compliance risks, but no hidden local code or deceptive behavior was found.

Install only if you are comfortable using a paid third-party lead-generation service. Set spending controls, avoid submitting confidential data, and human-review all returned contacts and email drafts for accuracy, consent, privacy, and anti-spam compliance before using them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly offers business discovery, contact identification, and personalized cold-email generation without any privacy, consent, or responsible-use guidance. In this context, that omission increases the risk of misuse for mass unsolicited outreach, inappropriate processing of personal/business contact data, and downstream compliance issues under anti-spam and data-protection regimes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The research endpoint returns decision-maker contact details, including names and emails, but provides no disclosure about handling potentially sensitive personal data. Because this skill is designed for autonomous lead generation, the lack of safeguards makes large-scale collection, enrichment, and use of contact data more dangerous than in a purely informational business-research tool.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The outreach endpoint generates ready-to-send cold emails and follow-up sequences without warning that outputs may be inaccurate, manipulative, or legally noncompliant if sent automatically. In an autonomous outreach pipeline, this omission materially raises the chance of spam, reputational harm, and policy or regulatory violations because users may treat generated messages as production-ready.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal