ClawHub

Perfect Automation

Security checks across malware telemetry and agentic risk

Overview

This is a static automation-planning guide with broad trigger wording and customer-data examples, but it does not install code, access credentials, or run automations itself.

Install only if you want workflow automation design guidance. Treat generated workflows as plans: review data fields, permissions, customer consent, notification effects, and test-environment behavior before connecting real accounts or enabling production automations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill advertises trigger phrases like “自动化”, “工作流”, and “自动” directly in metadata, which are extremely broad and likely to appear in many ordinary conversations. This can cause accidental invocation of the skill in contexts where the user did not intend automation guidance, increasing the chance of inappropriate recommendations for external-service actions or data-moving workflows.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The dedicated trigger list repeats ambiguous phrases including “自动”, “提效”, and “帮我自动化”, which overlap with common productivity requests. In this skill’s context, accidental activation is more dangerous because the content includes concrete automation patterns involving CRMs, messaging, and customer data flows that may be acted on without sufficient scoping.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow examples describe moving form, CRM, email, project-management, and Slack data across external services but do not warn about privacy, consent, data minimization, or production impact. This is risky because users may implement automations that expose personal data, send unintended notifications, or create records in third-party systems without appropriate review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The customer onboarding and health-monitoring templates process customer records, contract status, usage data, CRM segmentation, email campaigns, and follow-up tasks without any privacy or governance warnings. In context, this omission is more concerning because these are sensitive business workflows that can affect real customers through profiling, messaging, and account handling.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal