ClawHub
Back to skill

Security audit

Agent Acquisition Master -- Agent becomes a master of client acquisition.

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent sales automation tool, but it can run ongoing outreach, read inbox replies, scrape prospects, and forward lead data without clear approval and privacy controls.

Install only if you deliberately want a persistent autonomous sales-outreach operator. Use dedicated email and social accounts, disable crons until reviewed, require manual approval or draft-only mode before sending, confirm legal and platform compliance, restrict Telegram/Google/Hunter/Apollo data sharing, and set retention/redaction rules for prospect and inbox data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Scope Creep

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to persist operational data into multiple learning files under /workspace/acquisition/learnings/, but those paths are not declared in the manifest's writable allowlist. This creates a permission mismatch that can lead to unauthorized file writes, policy bypass attempts, or failure modes where sensitive prospect and campaign data is stored outside approved locations.

Scope Creep

Medium
Confidence
95% confidence
Finding
The documented setup creates and updates several acquisition files such as templates, tracker_url.txt, and other onboarding artifacts that are not listed in the manifest permissions. When a skill documents writes beyond its declared scope, it increases the risk of uncontrolled persistence and makes the true filesystem impact larger than reviewers and users expect.

Scope Creep

Low
Confidence
91% confidence
Finding
The warmup module says it logs deliverability metrics to warmup_log.json, but that file is not in the writable allowlist. Even though the file is lower sensitivity than credentials, this is still a scope violation and can normalize writes outside approved boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This cron autonomously sends cold emails and scheduled follow-ups to external third parties without any explicit consent gate, approval step, or user-facing warning that the agent will perform outbound communications on the user's behalf. In skill context, this is more dangerous because the automation is operationally complete: it selects prospects, chooses templates, and logs sends immediately, which can create spam, legal/compliance exposure, account abuse, and reputational damage at scale.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The cron reads Gmail replies, classifies message content, and forwards lead details and message contents to Telegram immediately, but provides no privacy notice, minimization rule, or safeguard around transmitting potentially sensitive correspondence to another service. This is especially risky in this sales-automation skill because inbox replies may contain personal data, business-sensitive information, or opt-out requests, and cross-platform forwarding increases the chance of unauthorized disclosure or mishandling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The cron instructs the agent to scrape LinkedIn for prospects and verify emails through Hunter, but gives no warning or control around third-party data collection, external API transmission, or platform terms/compliance risks. In this context the danger is elevated because the skill is designed for growth automation, so it systematically harvests professional profile data and exports identifiers to external enrichment services, creating privacy, contractual, and data-governance exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly describes autonomous prospecting, sending, follow-up, qualification, and persistent logging, but provides no warning about use of connected third-party accounts, rate limits, consent requirements, or storage of personal/prospect data. In an outreach automation skill, this omission is dangerous because it can lead users to enable bulk messaging and data retention workflows that violate platform rules, privacy expectations, or anti-spam obligations without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises immediate Telegram notifications and Google Sheet tracking tied to lead qualification and revenue workflows, but does not warn that prospect or business data may be transmitted to external services. This creates a real privacy and data-handling risk because personal data, lead status, and commercial information could be shared to third-party systems without the user's informed understanding or proper safeguards.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill advertises very broad trigger phrases such as finding clients, generating leads, building an audience, and growing revenue. That broad invocation surface makes accidental activation more likely for ordinary business requests, which is especially risky here because the skill can perform outreach, read inboxes, and interact with external services.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill describes automated cold email, LinkedIn outreach, inbox reading, Telegram notifications, and scheduled execution, but does not present a clear user-facing warning about privacy, account, compliance, and platform-enforcement risks. In this context, silent or under-disclosed automation can expose personal data, trigger account restrictions, and send messages on the user's behalf without sufficiently informed consent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The usage field, "Tout produit ou service B2B vendu à des entreprises," is extremely broad and can cause the skill to be invoked for nearly any B2B sales-related request. In an outreach automation skill, overbroad activation increases the chance the agent applies cold-email or prospecting behavior in contexts where the user did not explicitly request outbound sales actions, creating misuse and policy/compliance risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The examples list—"SaaS," "API," "service conseil," "agence," "outil pro"—is so generic that it covers a vast range of business offerings without meaningful boundaries. In this skill's context of client acquisition, such vague examples make unintended invocation more likely and can steer the agent into producing outreach or lead-generation tactics for sensitive or inappropriate targets.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to log full action results, context, lead status, hypotheses, engagement data, and examples immediately after each action across persistent files. In a sales/outreach workflow, that can easily capture sensitive personal data, prospect communications, business intelligence, and potentially regulated contact information far beyond what is necessary for operation.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.