ClawHub

Lead List Builder Agent

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed lead-list building workflow, but it handles API keys, Google Sheets access, and collected contact data that users should protect carefully.

Install only if you are comfortable with a workflow that searches the web, collects business contact details, may query third-party enrichment services, and writes results to Google Sheets. Use dedicated low-privilege keys, share only the intended sheet with the service account, keep .env and credentials.json out of source control, and review the actual runner script before giving it credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description and workflow disclose that the agent will enrich contact data via WHOIS and Hunter.io and write results to a Google Sheet, but the user-facing framing does not clearly warn about these external data-processing steps or the resulting data storage. This can mislead users about what third-party services will receive queried domains and what collected contact information will be persisted, creating privacy, consent, and compliance risk.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The guide tells users to download a Google service account key and save it locally as `credentials.json` but provides no warning that this file is a highly sensitive credential. If stored insecurely, committed to source control, or shared accidentally, an attacker could use it to access and modify the connected Google Sheet and potentially other granted Google resources.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The `.env` example contains multiple API keys, account credentials, and operational settings without any warning about secure handling. This increases the likelihood that users will place real secrets in plaintext files, commit them to repositories, or expose them through logs and backups, enabling unauthorized API usage and data access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal