ClawHub
Back to skill

Security audit

Web3 Marketing & GTM

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Web3 marketing playbook with no executable code or credentials, but users should review its wallet-tracking and outreach templates for privacy risk.

Safe to install as a marketing playbook. Before using its output, remove requests for public wallet-address posting, avoid linking wallet activity to chat or social identities without clear consent, and add privacy notices, opt-out paths, and compliance review for targeted outreach.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill's trigger text is overly broad and includes casual examples like generic requests to grow a Web3 community, which can cause the agent to invoke this skill outside a narrowly intended scope. Overbroad activation increases the chance of misrouting ordinary conversations into this skill, leading to inappropriate tool selection, reduced reliability, and possible bypass of safer or more specialized skills.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script explicitly asks users to post wallet addresses or ENS names publicly in a community channel, which can expose identifiable on-chain activity and make users easier to target for phishing, scam outreach, wallet profiling, or unwanted tracking. In a Web3 marketing skill, this is more dangerous because it operationalizes public collection of sensitive pseudonymous identifiers at scale and normalizes unsafe community practices.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly recommends segmenting users by wallet activity and sending targeted Discord/Telegram/X outreach based on those on-chain behaviors, but it provides no guidance to disclose this tracking or obtain user consent where appropriate. In a marketing skill, this omission can lead agents to generate retention campaigns that surprise users, violate platform expectations or privacy requirements, and create legal/compliance risk even though the underlying data is public on-chain.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal