ClawHub

Business Bankruptcy Marketing Kit

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable legal-marketing skill, but its templates and eligibility claims create enough public confidentiality and compliance risk to require review before installation.

Install only after a Nevada bankruptcy attorney reviews and updates the content. Public review responses should be rewritten to be fully generic, review requests should ask all clients for honest feedback without satisfaction-based conditions, and all eligibility thresholds or legal claims should be verified against current law before publication.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file explicitly says public GBP responses must not confirm or deny that a reviewer is a client, yet several templates do so indirectly by referring to 'your behalf,' 'our work together,' consultations, referrals, financing, lease strategy, or specific bankruptcy processes. In a legal-services context, that can publicly reveal or strongly imply attorney-client relationships and matter characteristics, creating confidentiality and professional-responsibility exposure.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document warns against selective solicitation, but the final email says 'If you found value in our work together,' which conditions the review ask on a positive experience. That kind of steering can bias review collection, undermine FTC-style fairness principles, and create compliance risk for deceptive reputation management practices.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill is explicitly designed to generate Nevada-specific legal marketing content, but the cited section does not visibly constrain output to Nevada matters or require verification that the user is handling a Nevada bankruptcy marketing use case. In a legal-services context, jurisdiction-specific content applied to the wrong state can produce inaccurate compliance claims, misleading attorney advertising, and unauthorized or noncompliant legal marketing advice.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The manifest claims that every Nevada business under $7.5M in debt qualifies, which is an absolute eligibility assertion without qualification. In a legal-marketing skill, this can mislead users into relying on inaccurate jurisdiction- and fact-dependent advice, creating legal, compliance, and consumer-harm risk if the skill is surfaced as authoritative.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The response templates contain matter-specific phrases such as reorganization, Subchapter V, first-day motions, creditor representation, DIP financing, and lease strategy. Even without naming a client, replying in those terms to a public review can disclose or confirm sensitive legal-service details, which is especially dangerous in bankruptcy matters where reputational and financial harm can follow.

Ssd 4

Medium
Confidence
93% confidence
Finding
The final outreach asks for a public review if the client found value, but directs dissatisfied recipients to contact the firm privately before characterizing the experience publicly. That is a soft review-gating pattern that can suppress or divert negative feedback, creating consumer-protection and platform-policy risk even if framed politely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal