ClawHub

Outclaw Plan

Security checks across malware telemetry and agentic risk

Overview

This is a coherent outreach automation skill, but it needs Review because it can use connected messaging accounts, run recurring monitoring, mutate campaign records, and invoke undeclared helpers with uneven user-control boundaries.

Install only if you intentionally want an agent to coordinate outreach through your connected business and messaging accounts. Keep trust mode off unless you truly accept scheduled sends without per-touchpoint review, verify the referenced local scripts and channel plugins before use, restrict account scopes, and regularly inspect active campaigns, listeners, opt-outs, archives, and connected-account permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The subagent is described as a planner/drafter, but the instructions authorize autonomous external research, enrichment, and web search on prospects. That expands the skill’s effective privileges and data-handling scope beyond a narrow planning role, increasing the chance of unapproved data collection, privacy issues, and unintended external access during routine use.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The file says behavior depends on a `leadbay_connected` flag, but the operational steps invoke `LeadClaw`, creating ambiguity about what system is actually trusted and enabled. This kind of mismatch can cause the agent to route data to the wrong integration, bypass intended checks, or mis-handle connection state in ways that weaken security controls.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The document authorizes a fallback to browser automation for LinkedIn actions even though that capability is not clearly bounded in the stated skill scope or manifest. In an outreach skill that can contact external parties, adding UI automation expands the execution surface to less-auditable, more error-prone outbound actions and can bypass safer, explicit API/plugin constraints.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes broad phrases like "follow up," "check replies," and "just send it," which can cause this high-impact outreach skill to activate on ambiguous everyday requests. In this context, unintended invocation is risky because the skill can read KB data, draft outreach, manipulate campaigns, and route sending-related actions without the user explicitly intending to enter a campaign workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs silent auto-invocation of other skills and a capability-refresh script without prior user notice or consent. That creates hidden side effects across tools and data sources, expanding the action surface and making it harder for users to understand when research, style generation, or system refreshes were triggered on their behalf.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs retrieval of full lead profiles, company data, relationship signals, and automatic contact enrichment without any explicit user-facing notice or consent flow. In an outreach context, that can expose personal or third-party data processing that users may not expect, creating privacy, compliance, and trust risks if the agent silently enriches targets behind the scenes.

Missing User Warnings

Low
Confidence
84% confidence
Finding
In degraded mode, the subagent performs public web searches about the prospect and company without clearly warning the user that such searches will occur. While less sensitive than commercial enrichment, it still creates an undisclosed external action and may reveal intent patterns, trigger unwanted lookups, or surprise users who expected the plan to use only supplied information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to permanently cancel follow-ups, mark the campaign declined, and add the prospect to a do-not-contact list based solely on response classification, without requiring explicit user visibility or confirmation for this state-changing action. In this outreach context, a misclassification or adversarial message could silently suppress future contact and alter campaign records in ways that are hard to notice or reverse.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill automatically reschedules pending follow-ups from parsed out-of-office dates without surfacing that campaign timing has been modified. In a campaign orchestration system, silent schedule changes can cause unexpected outreach delays, missed windows, or be abused via malformed auto-replies that manipulate follow-up timing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The LinkedIn browser-automation fallback allows sending connection requests or messages through a less reliable mechanism without requiring an explicit warning or renewed consent. In this skill context, which already routes send/queue/contact requests and handles multi-channel outreach, that increases the chance of unintended outbound actions, account restrictions, or messaging behavior that differs from what the user approved.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly describes polling and monitoring private communications across email, Slack, WhatsApp, and LinkedIn, but provides no user-facing disclosure, consent boundary, or access-scoping guardrails. In a sales outreach agent, this is sensitive because it normalizes continuous surveillance of third-party conversations and engagement signals, increasing the risk of over-collection, unauthorized access, and privacy/compliance violations if the integrations are misconfigured or used without informed user authorization.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal