ClawHub

CompoundOS - AI Operating System

Security checks across malware telemetry and agentic risk

Overview

This documentation-only business automation skill is coherent, but it asks agents to retain broad business data and autonomously perform high-impact actions without enough guardrails.

Install only if you add your own controls before connecting it to real business systems. Require human approval for payments, invoices, tax filings, payroll, public posts, outbound outreach, customer account actions, and production changes. Limit each agent to least-privilege access, redact secrets and personal data before storage, define retention and deletion rules, and keep finance, HR, legal, and customer records out of shared agent memory unless explicitly approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (18)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly promotes broad logging and machine-to-machine data gateways without any limits on what data may be collected, retained, or transmitted. In a business operations context, this can easily sweep up sensitive prompts, customer data, credentials, or confidential operational information and expose it through storage or integrations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instruction to 'capture everything' encourages indiscriminate retention of user and operational data without regard to confidentiality, privacy, or least-privilege principles. That creates a predictable risk of storing sensitive information that does not need to be persisted for the skill to function.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Convert template authorizes autonomous outreach campaigns and funnel actions without requiring consent checks, recipient eligibility review, or privacy/compliance guardrails. In a real deployment, this could lead an agent to process prospect data, send unsolicited messages, or make sales-flow changes that create legal, reputational, and data-handling risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The Retain template permits autonomous customer interventions and upsell actions while referencing customer history and risk indicators, but it does not define safeguards for handling personal/customer data or limits on automated decision-making. This increases the chance of inappropriate profiling, unauthorized outreach, or disclosure/misuse of sensitive customer information.

Missing User Warnings

High
Confidence
95% confidence
Finding
The Finance template grants full autonomy to send invoices, process payments, track expenses, and generate reports without embedded controls such as approval thresholds, segregation of duties, or fraud-prevention checks. Because financial operations involve highly sensitive data and irreversible transactions, misuse or prompt-induced errors could cause direct monetary loss, fraudulent payments, or exposure of financial records.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly grants the Attract agent full autonomy for ad setup and posting, which can cause external actions on brand channels without a user-facing warning, approval checkpoint, or safety boundary. This is risky because autonomous publishing can create reputational harm, unintended public communications, or policy-violating content if the agent acts on incomplete or incorrect context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Convert agent is described as having full autonomy for outreach, including cold email and LinkedIn DM activity, without any warning or approval requirement for sending external sales communications. This creates a meaningful risk of spam, harassment, compliance violations, and reputational damage because the agent could contact real third parties autonomously.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs agents to always capture broad categories of operational information, including customer feedback, competitive intelligence, vendor evaluations, and strategic decisions, but provides no limits on collecting sensitive, personal, confidential, or regulated data. In a memory/knowledge-retention workflow, this can cause overcollection and long-term retention of sensitive information, increasing privacy, compliance, and data-exposure risk if the memory store is searched, reused, or leaked.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document frames the system as capturing 'everything' and continuously feeding it back into memory and strategy, but it provides no privacy boundaries, consent requirements, minimization rules, or retention controls. In a skill that orchestrates agent behavior, this encourages broad collection of potentially sensitive operational and personal data by default.

Missing User Warnings

High
Confidence
97% confidence
Finding
Automatically capturing context, timing, participants, and customer interactions can include personal data, confidential business information, and sensitive conversation history. Because the skill gives operational instructions without any warning or safeguards, it materially increases the risk of privacy violations and unauthorized data collection.

Missing User Warnings

High
Confidence
98% confidence
Finding
The 'Always capture' list explicitly includes customer feedback, competitive intelligence, financial outcomes, and team observations, all of which may contain confidential, personal, or regulated data. Stating these should always be captured without qualification normalizes indiscriminate collection and makes downstream misuse or over-retention likely.

Ssd 3

Medium
Confidence
98% confidence
Finding
Telling operators to 'log all decisions, actions, outcomes' normalizes full-fidelity retention of conversational and operational content. This increases the chance of sensitive data accumulation, later leakage, and secondary misuse through retrieval, analytics, or downstream agent access.

Ssd 3

Medium
Confidence
97% confidence
Finding
The workflow says to log the entire process and outcome for every new task, which effectively encourages preserving all user-provided inputs and internal reasoning artifacts. In an agentic system spanning departments, that broad retention materially raises privacy, confidentiality, and cross-context data exposure risks.

Ssd 3

Medium
Confidence
98% confidence
Finding
Repeated 'capture everything' language reinforces a default behavior of unrestricted collection and retention, making unsafe data practices part of the operating model. Because this skill is designed as a self-improving business OS, accumulated sensitive data could become widely retrievable by multiple agents over time.

Ssd 3

Medium
Confidence
95% confidence
Finding
Automatic capture of department agent outputs, metrics updates, and customer interactions creates a clear natural-language leakage path into logs and memory stores. Agent outputs often contain copied prompts, internal reasoning artifacts, secrets, customer details, or other confidential context that should not be persistently retained wholesale.

Ssd 3

Medium
Confidence
96% confidence
Finding
Appending all captured entries to daily and long-term memory files creates persistent storage of whatever the system ingests, including sensitive data that may have been collected accidentally. Persistence increases blast radius because exposed memory files can leak historical customer, business, or internal process information over time.

Ssd 3

Medium
Confidence
95% confidence
Finding
The checklist operationalizes auto-capture for all agent outputs, turning a risky concept into an implementation directive. In skill context, that makes the issue more dangerous because it is not merely descriptive; it is actionable guidance likely to be adopted as-is.

Context Leakage

High
Category
Data Exfiltration
Content
┌─────────────────────────────────────────────────────────┐
│ 1. AUTO-CAPTURE                                         │
│    • Log all decisions, actions, outcomes               │
│    • Capture context, timing, participants              │
│    • Tag by department, project, category              │
└────────────────────┬────────────────────────────────────┘
                     ↓
Confidence
93% confidence
Finding
Capture context

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal