ClawHub

ISO 27001 Policy Generator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for generating ISO 27001 policy drafts, with expected but privacy-sensitive use of an external ToolWeb API.

Before using this skill, confirm ToolWeb is an approved provider, use a dedicated revocable API key, and avoid submitting secrets or unnecessary internal details. Treat generated policies as drafts requiring legal, compliance, and management review before adoption.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly asks users to provide detailed organizational context including infrastructure, locations, vendors, data types, and compliance requirements, which are all sensitive security-relevant details. Because the skill does not warn users that this information may be sent to an external third-party service, users could unknowingly disclose internal security posture and regulatory data that would aid profiling, social engineering, or targeted attacks.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The API reference names a third-party endpoint and instructs users to send policy-generation inputs and authentication material, but it does not clearly disclose the sensitivity of the transmitted data or caution against including confidential internal information. In this context, the payload includes infrastructure, data classifications, business locations, and vendor relationships, making silent transmission to an external service a meaningful data exposure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal