ClawHub

Biz License

Security checks across malware telemetry and agentic risk

Overview

This appears to be a due-diligence reporting skill whose sensitive outputs are aligned with its stated purpose, but users should treat the reports as sensitive and verify them independently.

Install only if you have a lawful and authorized reason to run due-diligence checks. Treat generated PDF or Markdown reports as sensitive business and personal-data documents, verify source data before relying on conclusions, redact unnecessary identifiers before sharing, and do not use the report as the sole basis for high-impact legal, hiring, lending, or procurement decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly performs related-party analysis using a legal representative's identity and linked companies, which can expose personal and organizational relationship data without any stated privacy warning, consent boundary, or permitted-use limitation. In a due-diligence context, this increases the risk of misuse, overcollection, and inappropriate profiling of individuals and affiliated entities.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill generates exportable PDF/Markdown due-diligence reports with pass/conditional pass/fail conclusions and risk scoring, yet it does not warn that these outputs may contain sensitive business or personal information and may influence consequential decisions. This omission makes downstream sharing, overreliance, and privacy-harming dissemination more likely, especially when data comes from scraping or aggregated public registries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal