Security audit

DoctorClaw Feedback Digest

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill summarizes customer feedback and is purpose-aligned, but users should configure privacy, delivery, and retention carefully.

Before installing, decide exactly which feedback sources the agent may read, use private delivery channels, redact customer identifiers where practical, define retention or deletion rules for archived digests, and require explicit approval before any customer or public response is posted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly collects customer feedback from reviews, surveys, support tickets, and social mentions, which commonly contain personal data, account details, complaint narratives, and other sensitive business information. It provides operational guidance for ingesting and processing this data but omits privacy, minimization, consent, retention, and secure-handling safeguards, creating a real risk of inappropriate collection or processing.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to send digests via external channels, issue immediate alerts, and save archives containing feedback excerpts and analysis. Without safeguards, this can expose customer statements or identifiers through chat platforms or persistent storage, increasing the chance of data leakage, over-retention, or unauthorized access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal