ClawHub

Webflow

Security checks across malware telemetry and agentic risk

Overview

This is a Webflow guidance skill whose data and script integration examples are expected for building sites, with no hidden code or automatic unsafe behavior found.

Install is reasonable for normal Webflow help. Before using integrations on a live site, keep secrets out of ~/webflow/memory.md, use least-privilege Webflow tokens, verify webhook ownership and HTTPS, and review analytics or embed privacy requirements for your users' regions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guidance tells users to post form submissions directly to a custom CRM endpoint without any warning about handling personal data, transport security, consent, authentication, or data minimization. In a web-building skill, this can normalize sending user-submitted lead data to third parties in ways that violate privacy requirements or expose data if the endpoint is misconfigured.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The instructions recommend installing GA4 and conversion tracking with no warning that these scripts collect visitor data and may require consent, notice, and configuration to avoid over-collection. In this context, users may deploy tracking on production sites without privacy controls, creating compliance and data exposure risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill advises adding third-party chat, payment, and calendar embeds but does not warn that external scripts can access page context, collect user data, and expand the site's attack surface. Because these are inserted as custom code, users may trust and deploy them without vendor review, CSP consideration, or privacy disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal