ClawHub
Back to skill

Security audit

Prospect Enrichment

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only prospect research skill whose external scraping and search behavior matches its stated purpose, though users should be mindful of data shared with those tools.

Install this if you intend to use external scraping and search for prospect research. Avoid including confidential prospecting strategy or sensitive local marketing context unless it is appropriate for Firecrawl/Exa-backed workflows, and verify that the referenced helper CLIs are trusted in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description contains many broad, natural-language triggers such as 'learn about a company,' 'what does this company do,' and 'company deep dive,' which can cause the skill to activate in situations where the user did not explicitly intend website scraping or external research. Because the skill performs external fetching and synthesis, accidental invocation can lead to unnecessary data transmission, unexpected tool use, and over-collection beyond the user's intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to scrape prospect websites and run external web searches, but it does not present a user-facing notice that URLs, company names, or related context may be sent to third-party services. This is dangerous because users may provide sensitive prospecting context, internal targets, or confidential research goals without realizing that information will be transmitted externally during tool execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.