ClawHub

ISO9001认证助手/ISO9001-certificate-assistant

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it says: analyze uploaded ISO 9001 documents and generate local reports or templates, with normal confidentiality and file-output cautions.

Before installing, confirm you are comfortable sharing ISO/QMS documents with your agent environment. Redact unnecessary confidential or personal data, choose output paths deliberately, and avoid reusing existing filenames unless you intend to replace them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow asks users to upload Word documents, then parses them and uses extracted content to perform analysis and populate templates, but it does not warn that confidential business information or personal data may be processed and propagated into outputs. In this context, the documents are likely to contain sensitive internal procedures, names, metrics, or client data, so omission of this warning materially increases privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document-generation step states that the skill will generate rewritten or new documents from templates using extracted client content, but it does not warn that this will create files and may overwrite existing output paths. Because the generated content is derived from sensitive client documents, silent file creation or overwrite can leak confidential data into unintended locations or destroy existing files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal