ClawHub

Mortgage Marketing

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent mortgage-marketing content generator, with external model and Telegram privacy considerations users should understand before sharing sensitive campaign details.

Install with normal caution. Use local mode for confidential or regulated mortgage-marketing material when available, and avoid sending customer PII, lead details, financial information, unpublished strategy, or compliance-sensitive content through Telegram or a hosted model unless your organization approves that data flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly requires an Anthropic API key and documents a Haiku fallback, which implies user-supplied campaign briefs may be transmitted to a third-party model provider, but it does not warn users about that data flow. Marketing briefs can contain sensitive business plans, customer segmentation details, property information, or regulated lending content, so undisclosed external transmission creates a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Telegram example encourages users to submit campaign content through a third-party messaging platform without any warning that message contents may be exposed to Telegram, intermediaries, bot infrastructure, and the downstream model backend. In this skill's mortgage-marketing context, prompts may include sensitive lead, property, or compliance-related information, making silent use of a chat platform riskier than generic public content generation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal