ClawHub

胡田 OPC导师 路演管理

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only roadshow management skill whose sensitive data handling is expected for the workflow, but users should add privacy and retention rules before using it with real investor or founder information.

Before installing or using this with real events, decide who may access notes, Q&A logs, replay links, contact records, and investor-intent forms. Use approved AI services only, get any required participant consent, redact sensitive details where practical, restrict sharing to authorized recipients, and set retention and deletion periods.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs AI to automatically generate meeting minutes, record investor questions, and analyze interaction patterns, which implies collection and processing of potentially sensitive business information and personal data. Because the document provides no notice, consent, retention, access control, or handling guidance, operators may deploy it in ways that violate privacy expectations, confidentiality obligations, or data protection requirements.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly collects personal contact data including name, title, sector responsibility, and contact details, but provides no notice about lawful basis, purpose limitation, retention, access control, or consent. In a fundraising workflow this increases privacy and compliance risk because the data may be shared internally or externally without clear authorization or handling rules.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The SOP explicitly instructs staff to export live-stream data, generate replay links, collect investor intent via forms, and share Q&A records with project parties, but it provides no guidance on consent, minimization, retention, access control, or redaction of personal information. In a roadshow context, attendee identity, investor interest, contact details, and discussion content can be commercially sensitive, so unrestricted sharing or storage creates a real privacy and confidentiality risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal