ClawHub

Social Proof Collector

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only marketing skill for collecting and reusing public reviews, with compliance and scoping cautions but no hidden code or deceptive behavior found.

Install only if you intend to collect reviews for a business you are authorized to represent. Before publishing widgets, social posts, or email snippets, confirm platform terms, quoting rights, attribution expectations, and privacy obligations; sanitize generated HTML and set clear limits for any recurring alerts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs users to scrape, extract, and republish third-party review content from multiple external platforms, but it provides no warning about platform terms, copyright/licensing, privacy, attribution, or consent constraints. That omission is risky because users may deploy the skill in ways that violate site policies or improperly reuse personal content, creating legal, compliance, and trust issues.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation phrases are broad, natural-language commands like 'Collect reviews' and 'Check for new reviews daily,' without guardrails on target scope, authorization, or excluded sources. In practice, this can cause the agent to perform scraping, monitoring, and content reuse across arbitrary third-party platforms with insufficient user confirmation, increasing the chance of unauthorized data collection or policy-violating automation.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal