ClawHub

Business Doc Generator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only business document drafting skill with no executable code, with caveats around broad triggers and local workspace storage of generated templates.

Install only if you are comfortable using it as a drafting aid for business documents. Review contracts, NDAs, invoices, payment terms, and legal clauses before sending them, and avoid including confidential client or payment details unless you are comfortable with generated templates being saved in your workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill explicitly states that generated document templates will be stored in the user workspace, but this persistence is not necessary for the core function of generating business documents and is not paired with clear consent or retention controls. Because these documents may contain sensitive business, financial, legal, and personal data, automatic storage increases the risk of unintended data retention and exposure.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list includes broad phrases such as 'generate document' and 'business document', which can match many ordinary user requests unrelated to this specific skill. Overbroad activation can cause the wrong skill to engage unexpectedly, increasing the chance of unintended handling of sensitive business content and accidental downstream actions like template storage.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger conditions contain ambiguous catch-all language like 'Any combination of the above with customization needs,' which lacks clear activation boundaries. In context, this is more dangerous because the skill works with contracts, invoices, and NDAs that often contain sensitive or legally significant data, so unintended activation can lead to inappropriate template generation or data persistence.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The notes indicate that generated document templates will be stored in the user workspace, but there is no clear user-facing warning, consent step, or explanation of this data-affecting behavior. Since the skill may process invoices, contracts, and NDAs, silent storage can expose confidential business terms, personal contact details, and financial information beyond the user's expectation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal