ClawHub

Hutian Opc Investor Roadshow

Security checks across malware telemetry and agentic risk

Overview

This is a business outreach and investor roadshow toolkit; it handles contact and company information, but the behavior is disclosed, purpose-aligned, and not hidden or destructive.

Install only if you intend to use it for legitimate business招商 or roadshow support. Before using the templates, set clear rules for consent or lawful basis, minimum necessary fields, who may access CRM records, how long records are retained, and when contact or business data must be deleted or redacted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs collection of company data from multiple external sources, including legal representatives, shareholders, financing history, complaint records, and related due-diligence information, but provides no privacy, consent, retention, or lawful-use safeguards. In a real deployment, this can lead users or downstream agents to aggregate sensitive business and potentially personal data without checking legal basis, minimization, or compliance obligations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script explicitly prompts the operator to collect sensitive business information such as team size, revenue scale, and financing stage without any notice about confidentiality, lawful basis, minimization, or safe handling. In a招商/outreach context, this creates a real risk of over-collection, improper disclosure, or mishandling of commercially sensitive information during prospecting conversations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
该模板明确收集联系人姓名、职位、手机、邮箱、微信及决策影响力等个人信息,但没有说明收集目的、最小化原则、访问权限、保存期限或共享限制。用于招商场景时,这些信息很容易形成可识别的商务联系人画像,一旦被过度传播、长期留存或误用,会造成隐私合规风险与定向骚扰风险。

Missing User Warnings

Medium
Confidence
90% confidence
Finding
服务台账要求持续记录企业反馈、政策兑现、发展动态和满意度等经营与关系信息,这些内容虽然不一定都是个人敏感信息,但属于较高敏感度的商业运营数据。文档未规定分类分级、内部可见范围、脱敏展示和保存删除要求,可能导致商业信息泄露、越权访问或不当对外扩散。

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal