ClawHub

Automation Workflows Temp

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only guide for building no-code business automations, with expected cautions around connected accounts and customer data but no hidden code or automatic execution.

Before installing or using this skill, confirm you want general no-code automation guidance. When building any suggested workflow, grant the smallest necessary account permissions, test with safe sample data first, review customer-data handling, add approval steps for public, financial, or customer-facing actions, and periodically revoke unused connected-app access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad enough to match common user language like 'automate' or 'save time', which can cause the skill to activate in contexts where the user did not explicitly request workflow-automation guidance. Over-broad activation increases the chance of unintended invocation and inappropriate advice being surfaced, especially because the skill discusses cross-tool actions, integrations, and automated operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This section encourages users to connect accounts, move data between systems, and automate operational actions, but it lacks safeguards around least-privilege access, privacy review, consent, validation, rollback, and duplicate-prevention beyond a brief operational note. In practice, such workflows can leak customer data, corrupt records, send incorrect communications, or trigger unintended business actions if built from this guidance without safety controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal