ClawHub
Back to skill

Security audit

Product Requirement Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a coherent product-requirements skill pack with business-analysis templates and no evidence of hidden execution, exfiltration, or destructive behavior.

Install if you want Chinese-language product-management and requirements-analysis templates. Treat customer research, stakeholder details, technical stack information, and financial metrics as sensitive: use only data you are authorized to process, prefer role-based or anonymized values where possible, and avoid pasting confidential or regulated information into unapproved environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly prompts users to collect named decision-makers, influencers, and users together with job titles and concerns, which creates a structured profile of identifiable individuals. While this is common in B2B sales research, the absence of any privacy, consent, minimization, or retention guidance increases the risk of unnecessary personal data collection, inappropriate sharing, or misuse in profiling.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill explicitly asks users to provide real business metrics such as ARPU, churn, NRR, and pricing change assumptions, but it does not warn against sharing confidential company data or recommend redaction/anonymization. While this is not an exploit by itself, it increases the risk of inadvertent disclosure of sensitive financial information to the agent or downstream systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.