ClawHub

Customer Retention

Security checks across malware telemetry and agentic risk

Overview

This is an informational customer-retention playbook with no executable code, install scripts, credential use, or hidden behavior, though users should apply privacy and email-compliance controls before acting on its outreach advice.

Safe to install as a strategic advice skill. Before using its recommendations in a real business, make sure tracking uses disclosed and necessary customer data, honor unsubscribe and communication preferences, avoid sensitive or undisclosed profiling, and comply with applicable privacy, email, and telecom rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes very broad, common business phrases such as "customer loyalty," "improve retention," and "keep customers," which can match ordinary conversation and cause unintended skill activation. In an agent setting, misrouting a user into this skill can produce unsolicited retention guidance, create confusing behavior, or divert execution away from the user’s actual intent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This section recommends monitoring user behavior, sending re-engagement emails, personal outreach, and cancellation-related messaging, but does not mention consent, lawful basis, opt-out handling, or privacy expectations. That omission can lead operators to deploy tracking and communications in ways that violate privacy norms or anti-spam requirements, especially when using inactivity, failed payments, or engagement signals to target individuals.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal