ClawHub

Insurance Agent Trainer

Security checks across malware telemetry and agentic risk

Overview

This insurance training skill is not malware, but its package makes inconsistent claims about code and network use while encouraging sensitive agent/customer profiling and some pressure-based sales coaching.

Review this skill before installing in a real insurance environment. Use only synthetic or anonymized agent/client data, do not upload confidential product manuals or schedules unless your organization has approved the handling path, and run the included Python scripts only intentionally. Treat the sales scripts as draft training material requiring compliance review, especially the pressure-closing and objection-handling examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The workflow says the user can upload a product PDF and the system will parse documents, extract product structure, and generate a product profile, despite repeated claims elsewhere that the skill performs no real parsing or processing. This contradiction can mislead operators into providing sensitive documents under false assumptions about what the skill actually does, increasing the risk of unsafe downstream implementations or accidental disclosure.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The Quick Start flow describes live retrieval of agent information, product identification, training execution, scoring, and report output, which conflicts with the advisory-only and no-processing framing. Users may rely on the skill as if it actively handles internal performance data and generates evaluative outputs, creating a social-engineering style trust gap around data handling and system capabilities.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The full assessment workflow depicts creating agent profiles, running tests, generating radar charts, and producing 90-day plans, which reads like an operational assessment system rather than a static training reference. In a personnel-evaluation context, overstating these capabilities can cause inappropriate use with real employee data and create privacy, compliance, and fairness risks.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This module is presented as an insurance product parser, but it contains unrelated network retrieval logic that pulls external lottery data. That creates unnecessary external data access, expands the attack surface, and introduces behavior that is hard to justify for the stated purpose, which is a classic scope-creep/surprise-capability risk in agent skills.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The training-case function operationalizes the unrelated lottery collection capability and repackages it for downstream use, despite the skill being framed around insurance training. Even if not overtly malicious, this is dangerous because it masks non-essential external data collection behind benign training logic and may enable unapproved data flows or deceptive feature expansion.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function initializes metadata under qb['meta']['categories'] but later writes category counts to qb['categories'], creating an inconsistent output schema. Downstream consumers that rely on the declared metadata path may misread totals, skip compliance/accountability checks, or fail open when validating generated training content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly describes analyzing daily client visit schedules and building agent profiles, which implies handling personal and potentially sensitive business data. Because the documentation does not warn against using real personal data or describe minimization, consent, retention, or redaction practices, users may input identifiable agent and client information into the skill in ways that create privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The usage examples include named agents and detailed visit/training scenarios, normalizing the practice of entering real identifiable personnel and client-related scheduling data into the system. In a training skill for insurance workflows, this context increases the chance that operators will paste live production data, creating unnecessary privacy exposure and possible regulatory noncompliance.

Ssd 4

Medium
Confidence
93% confidence
Finding
The prompt explicitly instructs agents to convert a customer's request to consult family into a purchase, framing hesitation as an objection to overcome rather than a consent boundary to respect. In an insurance training context, this can operationalize coercive sales behavior, undermine informed consent, and increase legal and regulatory exposure for mis-selling.

Ssd 4

Medium
Confidence
95% confidence
Finding
The L3 closing guidance explicitly promotes 'pressure closing' and making the customer feel they are deciding under engineered influence. In a regulated insurance-sales training system, this is especially dangerous because it scales manipulative tactics to agents, increasing the risk of unfair sales practices, consumer harm, complaints, and regulatory penalties.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal