Outclaw Research

Security checks across malware telemetry and agentic risk

Overview

This sales-research skill is not malicious, but it needs review because it can search private messages and notes, extract contact details, and store them persistently.

Use only in an approved sales or recruiting environment where persistent lead profiling is allowed. Before installing, restrict the tool inventory to approved business sources, disable personal messaging and notes access unless explicitly needed, review the referenced OutClaw helper scripts, and define clear consent, retention, deletion, and spending rules for contact enrichment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly directs the agent to search across Gmail, Slack, WhatsApp, Telegram, iMessage, Discord, LinkedIn messages, and notes for prior conversations with a target, then summarize and ingest that relationship history into a persistent KB. That materially expands scope beyond public B2B research into private communications mining, creating a significant risk of collecting and retaining sensitive or irrelevant personal data without clear necessity or consent.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill claims it 'does not contact anyone,' but nearby instructions support contact-enrichment behavior such as purchasing contacts and harvesting phone, address, LinkedIn URL, and title from prior messages and signatures. Even if it does not send outreach itself, this contradiction understates the skill's data-collection and contact-enablement behavior, which can mislead users about privacy and compliance impact.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are very broad, including generic requests like 'who is <person>', 'look up <person>', and 'find <person>'s email|linkedin|phone|company', which can overlap with ordinary assistant use. This increases the chance of accidental invocation of a high-impact skill that performs broad research and persistent writes when the user may have intended only a simple answer.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill description states that it writes a persistent profile into the OutClaw knowledge base and uses local raw-file storage, but it does not present a prominent user-facing notice or consent step about those storage side effects. Users may trigger the skill expecting transient research and not realize that personal and organizational data will be retained locally and reused later.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The playbook explicitly instructs the agent to access personal note and reminder systems because they may contain useful information about a target, but it provides no requirement to notify the user, obtain just-in-time consent, or limit collection to outreach-relevant data. In a B2B outreach context, this increases the risk of covertly mining highly sensitive personal content and storing or acting on it in ways the user may not expect.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill instructs the agent to mine prior conversations across multiple communication systems, extract signature fields like phone, address, title, and company, OCR signature images if needed, and write the extracted data into the KB frontmatter. This is a direct natural-language data exfiltration and over-collection risk because private communications can contain sensitive personal or business information far beyond what is necessary for prospect research.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal