ClawHub

Mova Contract Generation

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed MOVA-based contract drafting workflow with human review gates, not a hidden or destructive skill.

Install only if your organization permits sending contract details and party data to MOVA and the configured template/document repositories. Keep the confirmation and human legal review gates enabled, and verify audit retention, access control, and deletion policies before using confidential agreements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description and frontmatter declare very broad activation criteria for creating or drafting contracts and legal documents from templates, which can cause the skill to trigger on routine drafting requests without sufficient disambiguation. In an agent environment, overly broad triggers can route sensitive legal tasks and party data to the MOVA workflow unexpectedly, increasing privacy, compliance, and mistaken-action risk even if the workflow itself includes human review gates.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The 'When to trigger' section uses ambiguous phrases like 'generate,' 'create,' 'draft,' and 'prepare' for contracts or legal documents, which are common natural-language requests and may cause unintended invocation of the external MOVA workflow. Because this skill sends party names, jurisdiction, terms, drafts, and audit metadata to external services, accidental activation can expose sensitive legal information and initiate irreversible workflow steps before the user clearly consents.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal