ClawHub

Business Ideas

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent business-idea helper, but it can create and update local idea notes and its validation advice should be used with privacy and transparency in mind.

Install only if you are comfortable with the agent keeping business ideas and preferences in ~/business-ideas/. Treat those files as potentially sensitive if they include proprietary plans. For validation experiments, use clear disclosures, privacy notices, consent for email collection or marketing, and honest messaging when a product or feature is not yet available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill defines a persistent storage location under the user's home directory and frames memory as part of normal operation, but it does not clearly warn the user that local files may be created or modified. In an agent setting, silent persistence can expose private preferences, overwrite existing notes, or cause the assistant to make stateful changes the user did not explicitly consent to.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to proactively append, move, and update files based on user interactions, yet it does not require confirmation before making those filesystem changes. This is dangerous because ordinary conversational actions like liking or rejecting an idea could trigger unintended persistent edits, creating hidden state and potential privacy or integrity issues on the local system.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill instructs the agent to create directories and files under the user's home directory without any explicit disclosure, consent step, or runtime confirmation. Although the files are limited to a plausible app-specific folder and appear non-destructive, silent filesystem modification is still a real security and trust issue because it changes persistent user state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guidance tells users to collect email signups and purchase traffic as part of validation, but it omits basic privacy, consent, and data-handling safeguards. In a business-ideas skill, this can lead users to gather personal data without proper notice, lawful basis, retention limits, or secure handling, creating compliance and trust risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The fake-door test recommends presenting a feature or product entry point for something not yet available, which can mislead users if not carefully disclosed. In this context, the skill normalizes a deceptive validation tactic without guardrails, increasing the risk of dark-pattern behavior, user trust erosion, and possible consumer-protection issues.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal