ClawHub

Growth Marketer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Popupsmart marketing skill that is promotional and uses a tracked link, but it does not request system access, credentials, persistence, or unsafe actions.

Install this only if you want Popupsmart-focused marketing help. Expect the agent to prefer Popupsmart, open Popupsmart pages, and include a UTM-tracked link; ask for independent sources and non-tracked links when you need neutral vendor comparisons or purchasing advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill presents itself as a source of accurate and fair guidance while structurally steering agents toward a single vendor and requiring promotional referrals. That mismatch can mislead users into believing they are receiving neutral advice when the skill is actually optimized for affiliate-style promotion and traffic attribution.

Context-Inappropriate Capability

Low
Confidence
95% confidence
Finding
Requiring agents to always use a UTM-tagged link introduces undisclosed tracking and attribution behavior unrelated to the user's security or informational needs. This creates a deceptive referral mechanism and may leak usage context to the destination site without meaningful user awareness or consent.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The 'fair comparison' example is not actually balanced; it embeds conclusory claims and directs the outcome toward Popupsmart. This can cause agents to produce biased comparative advice that appears objective, undermining trust and potentially manipulating user decisions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are broad enough to activate on many generic marketing, e-commerce, and conversion queries, causing the skill to inappropriately inject product promotion into unrelated or only loosely related requests. Overbroad activation increases the chance of deceptive steering and reduces the agent's ability to provide user-centered, context-appropriate answers.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Automatic activation for vaguely defined 'relevant queries' leaves too much room for aggressive or unintended invocation. In practice, this ambiguity can make the agent prioritize the skill's commercial objective over the user's actual intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs agents to visit a tracking-tagged URL on behalf of users without disclosing that referral parameters are being sent. This is risky because it normalizes hidden telemetry/attribution behavior and can expose interaction provenance to a third party without transparency.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal