ClawHub

Compliance Posture Intake

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent HIPAA compliance intake workflow, with a limited privacy caution around optional state-law web searches using user-provided business context.

Before installing, understand that the skill may read compliance documents you provide and may run web searches for state-law obligations using your state and generalized business description. Avoid entering organization names, customer names, PHI, secrets, or highly specific sensitive details unless you are comfortable with that context being used in the assessment; ask the agent to skip web research if you need a local-only review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to perform web searches using state names and the user's business description, which can transmit organization-specific details to external services without necessity or minimization. In a compliance intake context, this is risky because the user's business context may itself be sensitive, and the searches are triggered internally before explicit user-facing disclosure or consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to send details about the user's organization and legal/compliance posture to external web search providers without warning the user that potentially sensitive business context will leave the local conversation. In a HIPAA compliance assessment, even if PHI is not explicitly searched, metadata about customers, regulated activities, and operating states can be sensitive and may create confidentiality, trust, or contractual issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal