ClawHub

Follow Up Boss

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Follow Up Boss CLI that uses an API key to read and change CRM data, with no evidence of hidden exfiltration or deception.

Install only if you want this skill to access your Follow Up Boss account. Use a limited API key if available, keep FUB_API_KEY out of shared logs and committed files, and manually review any create, update, complete, delete, webhook, or event command before running it against production CRM data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup instructions tell users to export a live API key but do not include any warning about secure credential handling, such as avoiding shell history leakage, screenshots, shared terminals, or committing secrets to files. Because this key grants authenticated access to CRM data and actions, careless handling can lead to account compromise and unauthorized data access or modification.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The command list includes numerous state-changing operations—creating people, notes, tasks, events, deals, and webhooks, updating records, and deleting webhooks—without a general warning that these commands can permanently change CRM state. In a production CRM context, accidental or automated misuse could create bad leads, trigger automations, alter records, or remove integrations, causing operational disruption and data integrity issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal