ClawHub
Back to skill

Security audit

cold-email

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it sends user-provided sales lead details to SkillBoss to generate cold email sequences, with privacy care needed.

Install only if you are authorized to share the lead data with SkillBoss for processing. Avoid unnecessary or sensitive personal data, review your organization's privacy/compliance requirements, and keep the SkillBoss API key in a secure environment or secret store rather than code or shared files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly sends lead data, including email addresses and potentially LinkedIn/company information, to a third-party API for processing, but the documentation does not provide a prominent privacy warning, consent requirement, or data-handling guidance. This creates a real privacy and compliance risk because users may transmit personal data to an external service without understanding the disclosure or retention implications.

External Transmission

Medium
Category
Data Exfiltration
Content
API_BASE = "https://api.skillbossai.com/v1"

def pilot(body: dict) -> dict:
    r = requests.post(
        f"{API_BASE}/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
Confidence
88% confidence
Finding
requests.post( f"{API_BASE}/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
## How It Works

This skill calls the SkillBoss API Hub (`POST https://api.skillbossai.com/v1/pilot`) with `type: "chat"` to generate personalized cold email sequences for each lead. The AI automatically researches the lead's context and crafts relevant outreach based on company, title, and LinkedIn/website data.

## Endpoints
Confidence
87% confidence
Finding
https://api.skillbossai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal