ClawHub

marketing-calendar

Security checks across malware telemetry and agentic risk

Overview

This skill is a prompt-only marketing calendar generator that may search the web for missing brand details and create one local HTML report.

Installers should expect the skill to proceed without clarification, possibly search the web when brand details are incomplete, and write a local HTML report. Use non-confidential brand information when web lookup is acceptable, and review the generated report before sharing it externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to use WebSearch when user-provided brand information is incomplete, which expands the skill's behavior from local user input processing into external data retrieval. This can introduce privacy, consent, and data provenance risks because the user may not expect their query to trigger outbound searches or incorporation of untrusted third-party content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly directs the agent to use WebSearch to fill missing brand information, but it does not tell the user that external network requests may occur or obtain consent first. This can expose user-provided brand context or trigger unexpected outbound access, which is especially risky in enterprise or privacy-sensitive environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to generate an HTML file (`marketing_calendar_report.html`) without warning the user that a file will be created or written. Unexpected file creation can violate user expectations, create data-handling risks, and become more dangerous if the HTML includes unsanitized user content or is stored in shared environments.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill writes a local HTML file without an explicit user-facing warning or consent step, which creates a side effect beyond normal conversational output. Even if the HTML is intended as a report, silent file generation can surprise users and may embed untrusted brand text into a rendered document, increasing the risk of unsafe or misleading local artifacts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal