ClawHub

Funnel Builder

Security checks across malware telemetry and agentic risk

Overview

This skill is a marketing funnel builder, but it gives agents broad autonomous sales, messaging, webinar, and trading-signal promotion instructions that need human review before use.

Install only if you intend to use it for active sales-funnel work and will keep human approval in the loop. Use a dedicated Telegram bot, review every outbound email, public post, Telegram message, payment page, and webinar before publishing, and clearly label automated or prerecorded webinars. Do not use the trading-signal templates without prominent financial-risk disclosures and compliance review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The trading-signals template promotes performance claims and signup flows without any accompanying disclosure that results are not guaranteed and that trading can lead to losses. In a funnel-building skill, this omission can systematically generate misleading financial marketing content that understates user risk and increases legal, compliance, and consumer-harm exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The pricing and FAQ examples for trading signals encourage users to follow signals with exact execution details but do not warn about financial risk, loss potential, or the non-guaranteed nature of outcomes. Because this file is a reusable template, the omission can be replicated across many generated landing pages and make speculative financial activity appear safe or mechanical.

Ssd 4

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to run an automated webinar that 'appears live' and uses pre-scripted chat/Q&A cues, which is a deceptive interaction pattern. This is dangerous because it can mislead prospects about the nature of the engagement, undermine informed consent, and expose operators to fraud, platform-policy, and legal/compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal