ClawHub

Crm Data Cleaner

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only CRM cleanup skill with expected but sensitive CRM credential, bulk-change, and enrichment-provider workflows.

Install only if you are comfortable using CRM credentials for data cleanup. Use a test export or sandbox first, keep a backup, require explicit approval before merges/imports/batch updates, use least-privileged tokens, and confirm your organization permits sending contact data to enrichment providers such as Clearbit or Apollo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest explicitly markets the skill as instruction-only with no scripts or code execution, yet the body includes runnable Python, JavaScript, Apex, SQL, and API examples. That mismatch can mislead operators, policy engines, or reviewers into granting broader trust than warranted, increasing the chance that code snippets handling credentials or customer data are copied or executed without appropriate scrutiny.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The comment indicating that implementation details live in scripts/ directly contradicts the claim that the skill has no scripts. This creates a trust-boundary problem: users and automated tooling may believe the package is non-executable while it implicitly points to hidden or omitted executable components, which can conceal data-processing behavior or credential use.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill encourages enrichment through third-party providers and CRM API/import workflows without clearly warning that contact data may be transmitted externally or that CRM records may be modified in bulk. In a CRM context, this can expose personal or business contact data to outside services, create compliance issues, and cause irreversible integrity problems from merges or overwrites if users are not prompted for consent and review.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal