ClawHub

Ai Scam Defense

Security checks across malware telemetry and agentic risk

Overview

This is a useful scam-recovery guide, but it tells the agent to remember very sensitive fraud and identity-theft details across sessions without clear privacy controls.

Review before installing if you may use it during a real fraud incident. Ask the agent to keep only coarse checklist status unless you explicitly want details remembered, and avoid storing report numbers, exposed identifiers, account names, or scammer contact details in persistent memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly persists highly sensitive scam-response data across sessions, including amount lost, dates, personal information exposure, scammer contact details, police report numbers, and identity-theft recovery status, without any user-facing notice, consent, retention limit, or minimization guidance. In a scam-recovery context, this is more dangerous than usual because victims are likely to disclose financial, identity, and law-enforcement details while under stress, making the stored state a valuable target and a potential privacy harm even if the skill's overall purpose is protective.

Ssd 3

Medium
Confidence
97% confidence
Finding
The persistent state schema stores detailed victim and incident data in structured fields across sessions, effectively creating a long-lived profile of fraud exposure, financial loss, identity compromise, and remediation steps. This is dangerous because such aggregated records can enable secondary fraud, identity theft, social engineering, or reputational harm if accessed improperly, and the scam-defense context makes the data especially sensitive and attractive to attackers.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal