ClawHub
Back to skill

Security audit

Lead Gen Pipeline

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed lead-tracking and email-outreach skill with opt-in automation, but users should be careful with SMTP and cron auto-send settings.

Install only if you intend to manage real lead/contact data and send business outreach. Keep the default manual review flow unless you are comfortable with automated follow-ups, confirm your recipients and compliance obligations, and avoid putting passwords in chat or config files; use environment variables for SMTP credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest includes very broad trigger phrases such as "find leads," "run the pipeline," and "send pitches," which can cause the skill to activate on common user requests without clearly signaling that it will perform multi-step lead scraping, site generation, deployment, and outbound email actions. In this context, overbroad matching is risky because the skill automates external-facing operations and could be invoked when the user intended a narrower or safer task.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly automates cold pitch emails to third parties using scraped business data, but provides no user-facing warning, consent checkpoint, or privacy/compliance guardrails before external outreach. This is dangerous because it enables unsolicited contact at scale, increasing the risk of spam, privacy violations, reputational harm, and noncompliance with email and data-protection rules.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.