ClawHub

Channel Follow-up Automation

Security checks across malware telemetry and agentic risk

Overview

This is a manual sales follow-up planning skill with broad triggers, but no evidence of hidden storage, credential use, network access, or destructive behavior.

Use this as a manual planning assistant. Provide only the contact and pipeline details needed, review messages before sending them, and keep the authoritative business records in a system you control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation phrase '生成今天的渠道跟进清单' is broad and does not clearly constrain required inputs, data sources, or side effects. In an agent setting, vague triggers can cause the skill to activate in unintended contexts or operate on whatever channel data is available, increasing the risk of accidental disclosure or unintended workflow execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README describes adding new channel records and updating follow-up status, which implies persistent storage and modification of business relationship data, but it does not disclose that data will be stored, where it is stored, or when records are changed. This can lead users to unknowingly persist sensitive commercial information and can cause unauthorized or accidental modification of operational data.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad and overlap with ordinary business conversation, so the skill could activate when the user is merely discussing follow-up generally rather than intentionally invoking this automation. In a sales/productivity context, accidental activation can cause unintended workflow suggestions, noisy reminders, or inappropriate use of channel data, which is a genuine safety and reliability issue even without overtly malicious behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal