ClawHub

Agent Dispute Resolution & Chargeback Defense

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only guide, but it teaches autonomous escrow, dispute, refund, and evidence-sharing workflows that can affect money and legal rights without enough mandatory safeguards.

Treat this as high-risk implementation guidance, not turnkey safe code. Before adapting it, force sandbox endpoints by default, use least-privilege API keys, require human approval for escrow release/cancellation, dispute filing/response, concessions, and settlements, redact evidence bundles, and add audit logs, transaction caps, and legal/compliance review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The selective disclosure example claims to reveal only one clause, but it returns the entire mandate in `full_mandate`. That defeats the privacy goal and could expose sensitive budget limits, vendor lists, principal identity, or internal authorization details to counterparties, arbitrators, or other third parties during disputes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide promotes fully autonomous dispute filing, responses, escrow releases, concessions, and partial settlements without strong guardrails or explicit warnings about financial/legal consequences. In practice, an operator could deploy this automation and have an agent commit funds, waive claims, or make adverse dispute decisions without human review, creating direct financial and contractual harm.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The evidence collection and submission workflow automatically aggregates transaction history, SLA data, reputation data, escrow state, and dispute materials, then submits them externally, but the guide does not clearly warn about data sharing and privacy implications. This can cause unintended disclosure of sensitive commercial, reputational, or personal data to external APIs, counterparties, or dispute systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal