ClawHub

Cold Email

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a cold-email writing aid, but it needs review because it encourages external prospect research and subject lines that can make sales outreach look like internal colleague email.

Review before installing. Use it only for honest, compliant outreach: do not impersonate colleagues, disguise vendor identity, or make sales email look internal. Confirm before allowing Exa or any search helper to run, keep queries limited to non-sensitive business information, and follow applicable privacy, marketing, unsubscribe, and anti-spam rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to send prospect and company queries to an external search service without telling the user that their provided data may be transmitted to a third party. If the user includes sensitive lead lists, unreleased targets, or private customer information, the agent could disclose that information during research, creating a privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guidance explicitly encourages quoting a prospect’s own words from interviews as a personalization tactic, but provides no guardrails around consent, source legitimacy, or privacy expectations. In a cold-email skill, this can normalize scraping and repurposing personal or semi-public statements in ways that feel invasive, create compliance risk, and enable targeting based on data the sender may not have a lawful or ethical basis to use.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The guidance explicitly recommends subject lines that appear to come from a colleague rather than a vendor, which is a form of deceptive impersonation/camouflage. In a cold-email skill, this is more dangerous because the content is directly operationalized for outreach at scale, increasing the likelihood of misleading recipients and bypassing normal skepticism or spam filtering.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal