ClawHub

$100M Leads: How to Get Strangers To Want To Buy Your Stuff

Security checks across malware telemetry and agentic risk

Overview

This is a marketing advice skill with no executable code, credentials, persistence, or hidden data access, though users should apply its outreach advice carefully and legally.

Before installing, expect promotional Heardly watermarking and broad marketing-topic activation. Use the outreach templates only in ways that follow anti-spam, privacy, and platform rules, especially for cold email, DMs, and bulk contact lists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill advertises very broad trigger phrases such as 'grow my business', 'advertising', and 'content marketing', which are common across many unrelated user requests. This can cause unintended invocation, leading the agent to inject irrelevant guidance or override more appropriate skills, which is a security and reliability concern because it expands the skill's activation surface beyond its intended scope.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list contains very broad phrases such as "advertising," "grow my business," and "content marketing," which are common across many unrelated user requests. This can cause unintended activation of the skill, leading to irrelevant routing and increased exposure of the skill in contexts where it was not explicitly requested.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs users to contact strangers who have not given permission and frames success as a pure numbers game, but provides no warning about consent, anti-spam laws, platform policies, or reputational harm. In a lead-generation skill, this omission can normalize bulk unsolicited outreach and increase the chance users engage in spammy or non-compliant behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal