ClawHub

OPC Landing Page Manager

Security checks across malware telemetry and agentic risk

Overview

This is a coherent landing-page creation skill with disclosed local file generation, project tracking, and review helpers, but users should be careful with private business data and privacy-policy requirements.

Review generated metadata before sharing or committing it, especially when using contract or invoice linkage because private client and pricing details may be copied into project files. Before publishing any generated form, replace placeholder form actions and add real privacy, terms, and consent language where required.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to read and write local files (`read_file(...)`, archive outputs, generate metadata) but does not declare those capabilities explicitly. Hidden file I/O increases the chance that the skill is granted broader access than users expect, making misuse or accidental modification of workspace data more likely.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill's declared purpose is landing-page generation, but the instructions also include project indexing, metadata aggregation, readiness scoring, compliance auditing, dashboard/status reporting, and writing tracking artifacts to disk. This scope expansion obscures the true behavior of the skill, which can mislead users and reviewers about what data is processed and persisted.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The cross-skill linkage directs this skill to pull contract and invoice information from other managers and reuse it in landing-page metadata and content decisions. That creates unnecessary access to potentially sensitive financial and legal data unrelated to the immediate task, increasing the risk of privacy leakage and unintended data propagation across skills.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The instruction to default ambiguous user input to 'Full build' causes the skill to activate broad workflows, including strategy generation, file reads, and later write/archive behavior, even when user intent is unclear. Over-broad activation increases the chance of unnecessary processing or side effects from a vague prompt.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The page actively solicits email addresses for a waitlist but does not provide any explicit notice about how the data will be used, stored, or protected beyond a generic reassurance placeholder. In a lead-capture context, this increases privacy/compliance risk and can mislead users about consent and data handling, especially if deployed as-is.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal