ClawHub

Gdpr Compliance Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a ToolWeb API-backed GDPR assessment skill, but users should treat anything they submit as third-party data sharing.

Install only if you are comfortable sending GDPR assessment inputs to ToolWeb. Do not include actual personal data, customer records, secrets, or unnecessarily detailed internal evidence; review ToolWeb's privacy and billing terms, protect the API key, and monitor usage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly forces all assessments through a paid third-party API, forbids using local knowledge, and notes that every successful call is tracked for billing. This creates an unnecessary monetized data-flow and pressures the agent to transmit user-supplied compliance details externally even when a local response may be sufficient, increasing privacy and misuse risk beyond the stated GDPR-assessment purpose.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises GDPR compliance assessment and asks users to configure an external API key, but it does not clearly disclose that potentially sensitive compliance details may be transmitted to a third-party service. Because GDPR readiness discussions can include personal data, security incidents, vendors, and cross-border processing details, users may unknowingly send regulated or confidential information off-platform without informed consent or data handling context.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The workflow instructs collecting detailed organizational privacy posture, processing activities, data categories, transfer mechanisms, and control gaps, then sending them to an external endpoint without an explicit warning, consent step, retention disclosure, or privacy notice. Because this is a GDPR-focused skill, silently exporting exactly the sort of sensitive compliance and data-processing information under review is especially risky and can itself undermine confidentiality and compliance expectations.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill operationalizes structured collection of potentially sensitive business and personal-data-processing details and directs the agent to transmit them via curl to a third-party service as part of the normal workflow. This is dangerous because it turns the agent into a data-exfiltration channel for internal compliance gaps and processing inventories, which could expose confidential business, legal, and privacy information if mishandled or intercepted.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal