ClawHub

Cleaning Maid Service Marketing Kit

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only marketing kit with no code execution or account access, but users should carefully review generated SMS, email, and compliance language before using it.

Safe to install as an instruction-only prompt kit, but treat its compliance claims as drafting help, not legal advice. Before sending or publishing outputs, verify SMS opt-out language, CAN-SPAM/TCPA consent, insurance and certification claims, review/referral rules, and avoid pasting policy numbers, customer lists, or a friend's contact details into an AI provider unless there is a clear consent and privacy basis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This is a real issue: the prompt’s compliance rules require SMS messages to include the exact opt-out phrase "Reply STOP to opt out," but the example output marks variants like "STOP to opt out," "STOP=end," and "Rply STOP opt out" as compliant. Because users often copy example outputs directly, this can mislead them into sending messages that are not actually compliant with the stated rule and may create TCPA/marketing compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The referral email explicitly encourages customers to reply with a friend's contact information, which prompts collection and sharing of a third party's personal data without that person's consent or any privacy notice. This creates privacy and compliance risk because the business may receive, store, or use personal information from non-customers without a lawful basis or clear disclosure.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The example input includes specific insurance policy identifiers, carrier names, and related business coverage details that may be unnecessarily exposed if copied into prompts or published outputs. While not highly sensitive like credentials, these identifiers can aid profiling, social engineering, or unwanted disclosure of internal business information, especially because the skill encourages users to paste detailed operational data into an external model.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal