ClawHub

Visit Briefing Generator

Security checks across malware telemetry and agentic risk

Overview

This skill coherently generates internal telecom visit briefings from user-provided customer records, but users should treat its outputs as sensitive business documents.

Install only if you are authorized to process the customer visit records you provide. Review generated briefings before sharing, handle exported Word files as confidential business documents, and verify any separately installed docx tool from a trusted source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "paste any visit record content" is overly broad and can cause the skill to activate on arbitrary pasted material, including sensitive chat logs, meeting notes, or unrelated content without clear user intent. In a skill designed to process customer visit records, this increases the chance of accidental ingestion and transformation of confidential business or personal data.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to faithfully record and output sensitive client information from source materials, including potentially regulated or confidential content from chat logs and handwritten notes. This creates a direct data leakage risk because the model is encouraged to reproduce sensitive details verbatim in generated summaries and follow-up documents, potentially exposing private customer, security, or financial information more broadly than necessary.

Ssd 3

Medium
Confidence
97% confidence
Finding
The confidentiality section is internally contradictory: it labels the tool as confidential/internal, yet requires verbatim inclusion of customer names, security events, and cost data. In this context, the instruction materially increases the risk of oversharing sensitive or regulated information in model outputs and exported Word documents, especially when source material is aggregated from multiple channels.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal