ClawHub

Market Research Starter

Security checks across malware telemetry and agentic risk

Overview

This is a market-research template skill with a disclosed optional Company Brain enhancement, and the reviewed artifacts do not show exfiltration, destructive actions, credential access, or hidden persistence.

Reasonable to install as a manual market-research toolkit. Before using the Company Brain enhancement, review and trust the separate Company Brain installation, and avoid storing sensitive company notes there unless you are comfortable with that context being used in generated market-research prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code prepends /data/.openclaw/workspace/company-brain to sys.path and imports a Brain wrapper from that separate knowledge base, creating access to internal company data that is not disclosed by the skill manifest. This expands the skill's effective privileges and data sources beyond a 'free market research toolkit', enabling hidden retrieval of proprietary context during normal use.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The functions query internal 'company context' and inject the returned answer directly into the user prompt, silently altering outputs with undisclosed internal information. In this skill context, that is more dangerous because users expect a generic market-research helper, not a tool that mixes in private enterprise knowledge and may leak sensitive context into downstream model interactions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Brain queries perform implicit external or cross-boundary data access without any user-facing notice, logging, or policy gate, so users cannot tell that additional hidden context is being fetched. This weakens transparency and can result in unreviewed internal data influencing responses or being exposed through generated output.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal