ClawHub

Cold Email Local Business

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple cold-email writing prompt that uses user-provided business CSV data, with no code execution or automatic sending, but users should handle contact data and outreach compliance carefully.

Install only if you intend to create cold outreach from business contact data you are allowed to use. Confirm the CSV source is lawful, avoid unnecessary personal data, comply with CAN-SPAM, GDPR, platform terms, and local privacy rules, and manually review any exported copy before importing it into bulk email tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases include very generic requests like "write cold emails" and "email sequence," which can cause the skill to activate for ordinary writing tasks beyond its narrow intended use. In context, this increases the chance the agent will steer users into unsolicited outreach workflows and scraped-data processing when they may have asked for general email help, creating misuse and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the user to ingest CSVs containing business contact data and promotes scraping/exporting emails, but provides no warning about consent, lawful basis, anti-spam obligations, or responsible handling of personal/contact information. In this context, the omission is meaningful because the skill is purpose-built for mass cold outreach using scraped data, which raises privacy, spam, and regulatory exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal