ClawHub

CCO / Chief Customer Officer

Security checks across malware telemetry and agentic risk

Overview

This customer-success skill is coherent and disclosed, with the main caution that it can keep optional local notes about sensitive customer and business information.

Before installing, decide whether the skill should engage broadly on customer-success topics or only when directly requested. If you enable its memory file, treat ~/cco/memory.md as potentially sensitive: avoid credentials, raw personal data, or confidential contract details unless local storage is acceptable for your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The template explicitly instructs copying persistent memory to '~/cco/memory.md' and includes sections likely to hold sensitive business and customer data, such as key accounts at risk, health scoring, retention metrics, and expansion opportunities. Storing this information persistently without any warning, minimization guidance, access controls, or handling restrictions increases the risk of unintended retention, exposure, or later misuse of sensitive operational data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The setup text instructs the agent to 'start naturally' whenever someone appears to be asking for CCO-level guidance, before any explicit activation boundary is established. That creates a real risk of over-broad invocation, where the skill may engage on loosely related business conversations and collect or act on customer-success context without a clearly scoped trigger.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The proposed activation conditions are broad and ambiguous: 'whenever you discuss customer success, churn, or retention,' 'proactively flag customer health concerns,' and 'jump into renewal and expansion discussions automatically.' Even though the text says to wait for an explicit answer, the activation scope being requested is expansive and may cause the skill to intrude into many adjacent conversations or trigger persistently beyond what the user intended.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal