ClawHub

Cold Email Prospecting Agent

Security checks across malware telemetry and agentic risk

Overview

This is a clearly disclosed RevoScale prospecting skill, but it handles sensitive contact data and should only be used for compliant business outreach.

Install only if you intend to use RevoScale for lawful business prospecting. Protect REVOSCALE_API_KEY, submit only contacts your organization is allowed to process, and apply your own consent, anti-spam, platform-terms, and privacy-law controls before using personal emails or mobile numbers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is explicitly designed to send personal data such as names, company domains, email addresses, and LinkedIn profile URLs to a third-party service, but it does not provide a clear user-facing notice or consent step before doing so. This creates privacy and compliance risk because users may not realize sensitive personal data is being transmitted externally, especially when the tool can retrieve non-public personal contact details for outreach.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The sections covering personal email and mobile phone discovery normalize retrieval of highly privacy-sensitive contact data from LinkedIn URLs without a strong warning, access restriction, or consent workflow. In context, this is more dangerous than ordinary business-email enrichment because it facilitates doxxing-like enrichment and off-platform contact of individuals using personal channels, increasing privacy, harassment, and compliance risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal