ClawHub

Pans Daily Sales Brief

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local sales-brief helper, but it stores business pipeline data locally and can use an external search helper for competitor news.

Install only if you are comfortable storing sales/customer pipeline data in a local JSON file. Avoid entering regulated, secret, or highly confidential customer information unless the local machine and backups are protected, and review the referenced helper skills before using add/update or competitor-news features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises executable commands that read and write local files and invoke Python from the shell, but the skill metadata does not declare corresponding permissions. This creates a transparency and consent problem: users or hosting frameworks may not realize the skill can access local business data and execute shell-capable actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are very broad and include common terms like 'sales report', 'pipeline', and '客户跟进', which could cause the skill to activate during ordinary business conversations. Unintended invocation is risky here because the skill handles customer and contract data and may run scripts that access or modify local records.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly describes storing customer pipeline, contract amounts, notes, and lead information in a local JSON file, but it does not warn that this is potentially sensitive commercial data. Without clear guidance, users may store confidential sales data insecurely, increasing the risk of local disclosure, backup leakage, or mishandling.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill states it will fetch competitor news via SearXNG but does not warn users that external network requests may occur. Even if the query is low sensitivity, automatic outbound requests can leak usage patterns, business interests, or search terms to external services or network operators.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal