ClawHub

Auto Dealer Marketing

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only dealership marketing helper; its CRM and outreach examples require compliance care, but the artifacts show no hidden access, code execution, credentials, or exfiltration.

Installers should treat this as a marketing copy and strategy aid, not a compliance authority. Do not provide CRM exports, customer PII, credentials, or campaign-system access unless necessary and authorized; have dealership counsel or a qualified compliance reviewer verify consent, opt-outs, pricing disclosures, OEM co-op rules, and state advertising requirements before publishing or sending campaigns.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description is extremely broad and includes many generic automotive marketing terms, which can cause the skill to activate in situations beyond the user's actual intent. Over-broad activation is dangerous because it can route unrelated requests into a domain-specific workflow that encourages regulated advertising, outreach, and customer-data handling without sufficient scoping.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to gather CRM/DMS details and later promotes database mining, SMS/email outreach, equity mining, and service follow-up, but it does not place a prominent upfront warning to verify lawful data access, consent, and permitted use before handling customer records. In dealership marketing, this is especially risky because the workflows implicate TCPA, CAN-SPAM, privacy, and dealership customer-data safeguards, so an agent could help operationalize non-compliant outreach or misuse sensitive customer information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal