ClawHub

Incorporate

Security checks across malware telemetry and agentic risk

Overview

This skill is a legal document generator that may be useful, but it overstates its coverage and handles sensitive business, personal, and tax data without enough safeguards.

Install only if you understand this is a document-generation aid, not legal or tax advice. Use it for the explicitly supported Nevada/Delaware C-Corp or LLC scenarios, and do not rely on the any-US-state or S-Corp claims without professional review. Treat configs and outputs as sensitive records, especially addresses, cap tables, ownership details, and SSNs, and use cloud upload only after checking folder permissions and sharing settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill’s advertised scope materially overstates what it can safely and accurately produce, including claiming broad state and entity support while the workflow and references are limited to a small set of jurisdictions and entity types. In a legal-document-generation context, this mismatch can cause users to rely on incorrect formation paperwork, omit required state-specific filings, or receive tax-sensitive documents such as 83(b) forms without clear scope boundaries, creating compliance, governance, and financial risk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code conditionally generates a Section 83(b) tax election form even though the skill metadata describes an incorporation-document package, not tax-document preparation. In this context, silently expanding into tax advice/document generation is risky because users may rely on a legally and tax-sensitive form that depends on facts not validated by the tool, creating compliance and filing-deadline harm.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation only generates corporation-oriented documents such as Articles of Incorporation, bylaws, stock ledgers, and board resolutions, while the skill description claims support for C-Corp, S-Corp, and LLC formation. In a legal-document automation context, this mismatch is dangerous because an LLC or S-Corp user could receive the wrong governance and filing package and mistakenly file or adopt invalid documents for their entity type.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The docstring says the tool outputs documents 'ready to file,' but the generated package includes internal governance documents, highlighted placeholders, and at least one filing date left intentionally incomplete for later manual entry. In a filing-focused legal workflow, overstating completeness can cause users to submit incomplete or inappropriate documents or skip required review steps.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs uploading highly sensitive incorporation materials to Google Drive without any consent, retention, access-control, or confidentiality guidance. These documents contain personal and business-sensitive data such as names, addresses, ownership stakes, directors, and tax-related records, so silent cloud upload increases the chance of unauthorized exposure or inappropriate third-party storage.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The checklist explicitly instructs users to confirm personal addresses for directors, which involves handling sensitive personal information, but it provides no privacy, minimization, or secure-handling guidance. In a business-incorporation skill, this increases the chance that users collect, store, or transmit PII inappropriately in shared docs, chats, or unsecured systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template explicitly collects highly sensitive personal data, including a Social Security Number, and instructs recipients to distribute copies to the company and attach them to a tax return without any privacy, minimization, redaction, storage, or transmission safeguards. In a document-generation skill, this increases the risk of unnecessary exposure of tax identity data through insecure handling, copying, retention, or inclusion in generated artifacts that may be stored or shared broadly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly tells users to copy the config, fill in detailed corporate and personal information, and feed it to an agent, but it provides no warning that the data includes sensitive identifiers such as personal addresses, registered agent details, cap table allocations, and ownership structure. In an agent-based workflow, that omission increases the risk of unnecessary collection, over-sharing to third-party systems, retention in logs, or disclosure through downstream integrations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal