ClawHub

Marketing OS

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed marketing workflow skill with optional automation, CRM/content integrations, and local memory, but no hidden installer or malicious behavior was found.

Install only if you are comfortable with a marketing automation skill that stores campaign state and can be connected to CRM, content, and analytics systems. Keep auto_mode off until tested, leave adapters disabled unless needed, use least-privilege credentials, require human approval for publishing, paid campaigns, CRM writes, and budget changes, and periodically review or purge memory and logs for sensitive customer or business data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
This is a real privacy/security design flaw: the adapter contract explicitly returns direct identifiers like email, name, and company while the same document states that PII should never be stored in Marketing OS memory. That contradiction increases the likelihood that downstream components will ingest, cache, log, or expose personal data contrary to the stated privacy model, creating compliance and data leakage risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README explicitly documents autonomous workflow execution, persistent writes to memory, and execution logging, but does not warn operators that enabling these features can modify system state, store potentially sensitive business data, or trigger chained actions without step-by-step approval. In an agent skill package, missing safety guidance increases the risk of unsafe deployment, especially when users may enable auto mode or integrate external adapters assuming the package is low-risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly supports `auto_mode` and later recommends enabling automatic workflows, but it does not define approval gates, action boundaries, or a user-facing warning about potentially impactful downstream actions such as CRM, content, or campaign system integrations. In an agent runtime, this can cause unattended execution of marketing operations, spending, outbound actions, or data changes without sufficiently explicit consent or safeguards.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The adapter explicitly exposes `publish_content` and `schedule_content` operations that can trigger external posting, but the interface contract does not require an explicit confirmation, approval signal, or user-visible warning at call time. In an agentic marketing system, this increases the risk of unintended or unauthorized publication to external channels, causing reputational damage, spam, or accidental disclosure if upstream components invoke these operations automatically.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The prompt instructs the agent to write updates and learnings directly to memory files, but it does not define authorization checks, validation rules, or conditions for when persistence is allowed. In an agent setting, this can let untrusted or low-confidence execution data become durable state, enabling memory poisoning, propagation of incorrect facts, or unintended cross-run influence on later decisions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The prompt directs persistent writes to memory files without any disclosure to the user or indication that externally sourced campaign data will be stored. This reduces transparency and can create privacy, compliance, and trust issues, especially if execution data contains sensitive business metrics, identifiers, or inferred strategic learnings that persist beyond the current task.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly instructs the agent to persist campaign state, learnings, and execution logs to local memory files, but provides no user-facing notice, consent gate, or restriction on what data may be stored. In an agent setting, this creates a real risk of retaining sensitive business inputs, operational data, or user-provided content beyond the current task, which can later be exposed, reused incorrectly, or modified without the user's awareness.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The scheduled and event triggers are defined in broad terms without clear activation thresholds, deduplication rules, or scope boundaries. In an auto-capable marketing skill with memory access and downstream execution handoff, this can cause unintended or overly frequent strategic runs, amplifying bad inputs or anomalous metrics into unnecessary actions and noisy logs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow persists the full campaign object to memory before human approval, and the manifest provides no explicit disclosure, consent checkpoint, retention control, or data minimization guard. In a marketing system, campaign plans can contain sensitive strategic, budget, channel, or customer-segmentation information, so storing them by default increases the risk of unauthorized retention, later misuse, or exposure through other workflows.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger definition uses the ambiguous value "event | manual" without clear activation boundaries, authorization rules, or precedence. This can lead to unintended workflow invocation paths, such as manual execution bypassing expected event-driven controls or event dispatch occurring without the safeguards normally associated with manual initiation, increasing the chance of unauthorized or accidental campaign planning.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger type is declared as "event | manual", which creates ambiguity about who or what is allowed to invoke the workflow and under what validation path. In a workflow that executes tasks, writes persistent memory, and dispatches data to another skill, ambiguous invocation semantics can enable unintended or less-controlled execution paths and bypass assumptions tied to a single trigger mode.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow dispatches the feedback payload to another skill ("virtual-cmo") without any visible guardrails on data minimization, consent, trust boundary validation, or transfer restrictions. Cross-skill data transfer expands the attack surface because downstream skills may have different permissions, prompts, or storage behavior, allowing sensitive operational data and learnings to propagate beyond the original execution context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow persists scored opportunities and generated strategy into long-term memory without any visible consent, retention control, or user-facing disclosure. In a marketing-analysis context, these outputs can encode sensitive business intelligence, customer insights, and strategic plans, so silent persistence increases the risk of unintended retention, cross-run data leakage, and later misuse by other workflows or agents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal