ClawHub

Yield

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it is a conversion-optimization skill that profiles users and can secretly steer bot responses toward sales outcomes.

Install only if you intentionally want a sales/conversion advisor for bots and can disclose that behavior to users. Before deployment, remove the 'never mention YIELD' prompt, make any personalization transparent and consent-aware, avoid pressure tactics for consequential decisions, disable or minimize raw message history export, and add retention, logging, access-control, opt-out, and CRM handoff safeguards.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (21)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code injects `analysis.contextualDirective` into the downstream prompt specifically to steer the model toward conversion and sales outcomes. In a conversational agent, this creates a manipulative hidden-instruction layer that can bias responses away from the user's interests and toward persuasion without disclosure, which is a real safety issue even though it is framed as product optimization.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The CRM export path enables transfer of conversation-derived behavioral data, portfolio state, and message metadata into another system without any visible access control, minimization, or purpose limitation in the example. In the context of a persuasion- and conversion-oriented skill, this increases risk because it operationalizes profiling data for sales handoff and downstream targeting.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs operators to perform hidden psychological signal analysis before every response and to conceal that behavior from users. This creates covert profiling and manipulation risk, especially because the stated goal is to optimize trust, urgency, commitment, and conversion rather than serve the user's informed interests.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
This section directly tells the bot to silently evaluate psychological traits and shape responses to execute persuasion strategies while hiding the mechanism from the user. The combination of concealment, behavioral targeting, and conversion optimization is a strong indicator of manipulative design rather than ordinary conversational assistance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example processes raw Discord message content and combines it with a persistent per-user conversation identifier derived from channel and user ID, enabling behavioral tracking without any disclosure or consent mechanism. In the context of a tool explicitly designed to optimize trust, micro-commitments, and conversion momentum, this creates a meaningful privacy risk and could violate platform expectations or legal notice requirements if adopted directly by developers.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The server-wide report aggregates conversation-derived engagement and conversion metrics but provides no indication to users that their activity is being rolled up into analytics dashboards. Because the surrounding skill markets itself as a revenue and conversion optimization engine, the aggregation is more sensitive than ordinary operational telemetry and increases the risk of covert profiling of community members.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example logs conversation identifiers and detailed behavioral analysis to the console, and the user task notes that user message and conversation ID are logged without disclosure. In real deployments, console logs are often collected centrally, retained, and accessible to operators, which can expose user content and inferred behavioral state unnecessarily.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code forwards raw user messages plus hidden analysis directives into another response generator without sanitization, minimization, or disclosure. Even with no external API in this example, this pattern increases privacy risk and can amplify prompt-injection or unintended model steering because untrusted user input and internal control text are concatenated into one prompt.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Exporting Telegram conversation analytics to a CRM without user-facing notice or consent creates a privacy and compliance risk, especially when the exported data reflects inferred user intent, urgency, and conversion potential rather than just raw operational data. In this skill context, the profiling purpose makes the issue more sensitive because the system is explicitly designed to shape user behavior and maximize conversion.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The engine persists raw user messages in in-memory conversation history and uses them for later analysis, but the implementation provides no minimization, redaction, consent, retention control, or visibility into how long plain-text user content is kept. In a system processing potentially sensitive chat content, retaining full message text increases privacy and breach exposure even if no external API calls are made.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code explicitly serializes detailed conversation state, including psychological asset scores, full history, timestamps, and message counts, for persistence. Retaining this kind of behavioral profiling data without clear disclosure, consent, minimization, or retention controls creates privacy and misuse risk, especially because it can be used to infer susceptibility and optimize persuasion over time.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The file’s stated purpose is to track psychological dimensions across a conversation and compute a yield score that improves conversion momentum. In this skill context, that is not a neutral analytics feature; it is a system for covert behavioral profiling and persuasion optimization without any visible consent or user-protective constraints.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The comments describe predicting abandonment from conversation trajectories, which operationalizes user vulnerability detection for persuasion timing. In combination with conversion-window logic elsewhere in the file, this increases the risk that the system exploits moments of receptivity or pressure rather than supporting informed, autonomous decision-making.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The directives explicitly encode covert persuasion tactics to build trust, create incremental commitment, and drive conversion without user awareness or consent. Because these strings are designed to be injected into a bot's system prompt, they can systematically shape model behavior toward manipulation rather than user benefit, creating a real social-engineering risk.

Ssd 4

Medium
Confidence
88% confidence
Finding
The strategy framework encourages the bot to deliberately build trust and stack micro-commitments toward later conversion actions, which can be used to manipulate users into decisions they would not otherwise make. In context, this is more dangerous because the skill markets itself around revenue lift and conversion timing rather than neutral assistance.

Ssd 4

High
Confidence
99% confidence
Finding
The prompt-injection variant operationalizes covert psychological profiling as a system instruction executed before every response and explicitly conceals that influence from the user. Because it is framed as a reusable drop-in prompt for any bot, it enables broad deployment of manipulative behavior across platforms with little friction.

Ssd 3

Medium
Confidence
96% confidence
Finding
exportConversation returns the entire messageHistory array in plain language, which can expose all prior user inputs to logs, downstream consumers, backups, or any caller with access to the export function. Because this skill is specifically designed to profile conversational trust, commitment, and conversion dynamics, the exported history may contain sensitive behavioral and personal data beyond what is necessary for functional state transfer.

Ssd 4

Medium
Confidence
93% confidence
Finding
The narrative design maps trust, urgency, commitment, curiosity, and authority into a compounding portfolio intended to increase conversion over time. In this context, the skill description and implementation make the gradual persuasion/escalation pattern explicit, so this is more than innocuous UX modeling; it is a framework for systematically steering users toward an offer.

Ssd 4

Medium
Confidence
96% confidence
Finding
The conversion-window logic waits until trust and commitment cross thresholds, checks whether yield is near peak, and then declares the optimal moment to present an offer. This directly operationalizes progressive persuasion based on inferred user state, making the skill more dangerous because its declared purpose is maximum revenue lift rather than user welfare.

Ssd 4

Medium
Confidence
90% confidence
Finding
The file defines a staged funnel for trust-building, escalation, objection handling, conversion timing, and graceful re-entry, which is a structured persuasion framework rather than neutral conversational assistance. In the context of a reusable agent skill, this makes the system more dangerous because it can operationalize manipulative engagement patterns across many deployments at scale.

Ssd 4

High
Confidence
97% confidence
Finding
The COMPOUND, LEVERAGE, and HARVEST directives explicitly instruct the agent to elicit 'micro-yes' commitments, use earned authority aggressively, and present a low-friction call to action at the perceived moment of maximum susceptibility. This is dangerous because it implements progressive influence and authority exploitation patterns commonly associated with manipulative sales and social engineering, especially when hidden in a system prompt.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal