ClawHub
Back to skill

Security audit

cold-email

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward cold-email skill that clearly uses a SkillBoss API key and sends lead details to SkillBoss, so users should treat the submitted lead data as shared with a third party.

Install this only if you trust SkillBoss to process prospect data and you have a lawful basis to use and share the lead information for outreach. Avoid submitting sensitive or regulated data unless approved by your organization, and keep SKILLBOSS_API_KEY in a secure secret store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly sends lead personal data, including email addresses and potentially LinkedIn and company website information, to a third-party API but does not provide a clear privacy notice, consent requirement, or data handling warning. This creates a real data-sharing risk because operators may unknowingly transmit personal or regulated business contact data off-platform to an external processor.

External Transmission

Medium
Category
Data Exfiltration
Content
API_BASE = "https://api.skillbossai.com/v1"

def pilot(body: dict) -> dict:
    r = requests.post(
        f"{API_BASE}/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
Confidence
92% confidence
Finding
requests.post( f"{API_BASE}/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
## How It Works

This skill calls the SkillBoss API Hub (`POST https://api.skillbossai.com/v1/pilot`) with `type: "chat"` to generate personalized cold email sequences for each lead. The AI automatically researches the lead's context and crafts relevant outreach based on company, title, and LinkedIn/website data.

## Endpoints
Confidence
89% confidence
Finding
https://api.skillbossai.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal