ClawHub

Prospecting

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a non-malware lead-generation skill, but it should be reviewed because it can bulk-collect and save business contact data for outreach with broad triggers and limited privacy or retention guidance.

Install only if you intend to perform B2B lead generation and are prepared to manage the resulting contact data responsibly. Before using exported call lists, confirm the data sources are lawful for your use, respect Google Maps and other platform terms, follow applicable privacy, anti-spam, and do-not-call rules, and delete or secure saved prospect-data files when no longer needed.

SkillSpector (4)

By NVIDIA

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill advertises broad triggers such as generic prospecting and customer-finding phrases, which increases the chance of accidental or overbroad invocation in unrelated contexts. Because this skill performs bulk business data collection and outreach preparation, unintended activation could lead to privacy-invasive lead generation workflows being launched without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is designed to collect, enrich, rank, and export business contact data into call lists and JSON/CSV files for outreach, but the description does not warn users that it is performing contact-data aggregation for sales activity. This lack of transparency can cause users to initiate regulated or sensitive outreach workflows without understanding the data-processing and compliance implications.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly instructs saving prospect profile data, including business phone numbers, addresses, and enrichment-derived details, into local JSON files without any guidance on data minimization, retention, access controls, or user consent. While this is mostly business contact information rather than highly sensitive personal data, it still creates privacy, compliance, and data-handling risk because enriched lead datasets can include contact channels and operational details that may be mishandled or retained indefinitely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file explicitly instructs creation of prospect data artifacts such as candidates.json, index.json, per-prospect records, and call-list.csv, but provides no privacy, consent, retention, or lawful-use guidance for collecting and operationalizing business contact data. In a lead-generation skill, this omission increases the risk of indiscriminate scraping, storage, and downstream outreach using personal or quasi-personal contact details without appropriate safeguards or jurisdiction-specific compliance checks.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal