ClawHub

Fiverr

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Fiverr business guide, but parts of it give risky advice about hiding automation patterns and under-disclosing AI use.

Before installing, treat this as non-authoritative business advice. Verify current Fiverr rules and applicable law, disclose AI use whenever required or when a client could reasonably be misled, do not use timing or wording tricks to disguise automation, and do not share client materials with VAs without permission and confidentiality safeguards.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill discusses AI-assisted client work but does not present a strong default warning that disclosure obligations may arise from platform rules, buyer requirements, contract terms, or law. In a freelancing context, that omission can mislead users into under-disclosing AI use, creating compliance, trust, and account-enforcement risk.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The statement 'Disclosure required only when clients ask' encourages non-disclosure as the default and may conflict with stricter legal, contractual, or marketplace transparency obligations. In a client-services skill, this can directly lead users to deceive buyers or violate platform policy, exposing them to disputes, refunds, suspension, or regulatory issues.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advises compiling and sharing client requirements, reference files, and conversation-derived notes with VAs, but provides no safeguards for consent, minimization, or secure handling of customer data. This creates a real privacy and confidentiality risk, especially if client materials contain personal, proprietary, or licensed content and are redistributed to third parties without authorization.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The document explicitly tells users to vary response timing so they do not 'look automated,' which is guidance for evading platform detection rather than simply improving communication quality. Instructions framed around concealing automation materially increase the likelihood of deceptive platform use and account-policy violations.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
This section enumerates what Fiverr detects and prescribes 'safe practices' to avoid those signals, including message variation, natural delays, and IP/device discipline. That is operational guidance for countering trust-and-safety monitoring and facilitating automated or coordinated activity while reducing the chance of detection.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal