ClawHub

商业计划生成器

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward business-plan generator, with the main caveat that full mode sends the user’s business description to OpenAI.

Use quick mode if you want local template-only output. Use full mode only if you are comfortable providing an OpenAI API key and sending the business description to OpenAI; avoid including confidential strategy, customer data, regulated information, or unreleased financial details unless your policies allow it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill explicitly retrieves an API key from the environment and transmits user-supplied business descriptions to an external OpenAI service. That behavior is not reflected in the provided skill metadata/description, so users may unknowingly disclose confidential product, strategy, or financial information to a third party.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The description is broadly phrased as a general-purpose business-plan generator without clear invocation boundaries or exclusions. In agentic environments, vague trigger conditions can cause the skill to be selected too often, leading to unnecessary access to user business data, environment-backed API usage, or file output in contexts where the user did not explicitly request this tool.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
In full mode, the entire user business description is embedded into a prompt and sent to the OpenAI API without any explicit warning at the point of use. Because business plans often contain non-public strategy, customer, pricing, and financial data, silent transmission to an external processor creates a real confidentiality and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal