ClawHub

Proof Engine

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent proof-management purpose, but it broadly scans sensitive business data, can send summaries to Telegram, and writes outside its declared workspace boundaries.

Install only after reviewing the scan scope and Telegram behavior. Use a dedicated Telegram bot/chat, avoid placing sensitive client or financial data in scanned directories unless intended, disable or avoid scheduled syncs until tested, and verify cross-skill writes before letting it deploy proof into brand, voice, funnel, or outreach workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Tainted flow: 'req' from os.environ.get (line 98, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
data=payload.encode(),
            headers={"Content-Type": "application/json"}
        )
        with urllib.request.urlopen(req, timeout=10):
            pass
        print("  ✅ Telegram sent")
    except Exception as e:
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=10):

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The README states that the skill runs only on local files, yet it requires Telegram bot credentials from the agent environment. That contradiction can mislead operators about outbound connectivity, data flow, and privacy exposure, increasing the chance that sensitive proof, financial, or client data is transmitted externally without informed consent.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The setup text says all engines work on local files only, yet the skill also requires Telegram credentials and describes automatic Telegram notifications. This can mislead operators into enabling the skill under an incorrect trust assumption, increasing the chance that sensitive financial or operational data is transmitted off-host without informed consent.

Scope Creep

High
Confidence
93% confidence
Finding
The skill documents writes to /workspace/brand/proof/ and /workspace/.learnings/LEARNINGS.md even though those destinations are not included in the declared write permissions. Undeclared write targets are dangerous because they bypass operator expectations and can tamper with other skills' data, persistence stores, or downstream behavior outside the approved scope.

Scope Creep

High
Confidence
95% confidence
Finding
The documented write to /workspace/voice/scripts/ exceeds the manifest's declared write scope and crosses into another skill's area. This is risky because it allows the skill to modify content consumed by voice or sales workflows, potentially injecting misleading, privacy-sensitive, or unreviewed material into downstream outputs.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Outbound Telegram integration is not essential to local proof management and causes business metrics, proof summaries, and operational state to leave the workspace. Because the skill handles revenue, P&L, and proof data, external notification broadens the attack surface and creates a real privacy and data-governance concern even without obvious malicious behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The agents capture routine recursively scans multiple unrelated workspace directories for AUDIT.md files, far beyond a narrowly scoped proof vault. In the context of an agent skill, this broad inventorying of other tools' artifacts is risky because it collects metadata from unrelated projects without consent and normalizes cross-skill data access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The funnels capture logic walks /workspace/revenue and /workspace/CASHFLOW and inventories all JSON files as potential revenue sources. That exceeds the minimum needed for a proof engine and can expose or repurpose sensitive financial artifacts from other components, making the skill more dangerous in a multi-skill workspace.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README requests Telegram credentials but provides no warning about messaging, third-party transmission, retention, or privacy implications. In this skill's context—handling P&L, funnel revenue, testimonials, and other sensitive business proof—omitting those disclosures materially increases the risk of unintentional exfiltration or non-compliant data sharing.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill describes Telegram alerts containing financial and operational information but does not provide a clear warning that this data will be sent to a third-party service. Even if the content is summarized, revenue figures, proof items, and business performance updates can be sensitive and their external transmission increases privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Referencing existing Telegram credentials in the agent environment without a strong warning normalizes automatic use of sensitive secrets and external messaging. This can cause operators to unknowingly authorize outbound notifications using already-present credentials, reducing friction for unintended data exfiltration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill reads broadly across workspace audit and revenue locations without an explicit warning, prompt, or narrow source declaration. In a shared agent workspace, this can silently access sensitive operational and financial metadata from unrelated components, increasing privacy and least-privilege concerns.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Telegram notifications send proof and revenue-adjacent summaries off-box without an explicit warning at the point of use. Because the skill's purpose centers on consolidating business proof, those messages may contain commercially sensitive information whose external disclosure users may not expect.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal