ClawHub

Customer LTV

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only customer lifetime value marketing skill; it uses sensitive customer data and outreach concepts, but the behavior is disclosed, purpose-aligned, and not self-executing.

Install only if you are authorized to process customer purchase and contact data. Use least-privilege exports, prefer pseudonymous IDs for analysis, verify email/SMS/phone consent and suppression lists before outreach, and have marketing, legal/compliance, and analytics review the LTV formulas and campaigns before updating live platforms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The guide’s refund-handling section contains a mathematically inconsistent example: after stating net revenue is $800, it multiplies that value again by purchase frequency and lifespan to produce $6,400, which materially overstates LTV. In a business-analytics skill, this can mislead users into overspending on acquisition, misclassifying customer segments, and making poor retention or budget decisions based on inflated unit economics.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to gather customer-level data including identifiers, email, and to operationalize outreach via email, SMS, and phone calls, but it provides no guidance to verify lawful basis, consent status, channel permissions, data minimization, or regional compliance requirements. In a marketing automation context, this omission can lead users to contact customers without valid consent or import/store more personal data than necessary, creating privacy, regulatory, and reputational risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal