ClawHub

vendor-onboarding-workflow

Security checks across malware telemetry and agentic risk

Overview

This is a plain workflow checklist for vendor onboarding, but it handles sensitive vendor documents that should be kept in secure business systems.

Install only if you want a vendor onboarding checklist. Treat it as process guidance, not permission for an agent to freely handle vendor records. Store W-9s, W-8BENs, tax IDs, ACH details, insurance documents, contracts, and approval packets in approved secure systems, limit access to people who need it, avoid pasting full sensitive documents into chat, and require human approval before granting vendor system access or marking a vendor active.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to collect and track sensitive vendor data including EIN/Tax ID, business address, contact details, and litigation disclosures, but does not provide any privacy, retention, access-control, or secure-storage guidance. In a vendor onboarding context, this omission increases the risk of unnecessary exposure of regulated or sensitive business information through spreadsheets, forms, email, or shared drives.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The workflow requests transmission, review, and filing of sensitive compliance and financial documents such as W-9/W-8BEN, COI, NDA, licenses, and related records, yet only briefly warns against emailing ACH data while leaving other document handling unsecured. Because the process explicitly suggests email and shared drives, users may transmit high-value documents through insecure channels or store them in broadly accessible locations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal