ClawHub

Contact Finder

Security checks across malware telemetry and agentic risk

Overview

This skill is a user-run contact-finding tool that uses disclosed search and OpenAI APIs, with privacy and credential-handling cautions but no hidden or destructive behavior found.

Install only if you are comfortable sending prospecting queries, names, domains, and search snippets to SerpAPI or Brave Search and OpenAI. Use environment variables or a secrets manager for API keys, do not commit keys into the script, verify guessed emails before use, and follow privacy, anti-spam, and workplace rules for professional contact discovery.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation indicates capabilities that access environment variables and make outbound network requests, but it does not declare permissions or clearly surface that trust boundary to users. This can lead users or platforms to run the skill without realizing it will access API keys and transmit query data externally, undermining informed consent and least-privilege controls.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends user-supplied search inputs, including names, companies, and domains, to third-party services (SerpAPI and OpenAI) without a clear warning in the user-facing description. This is dangerous because users may unknowingly disclose personal or sensitive prospecting data to external processors, creating privacy, compliance, and data-handling risks.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill collects names, company affiliation, likely professional contact details, and search-result snippets, then forwards that content to external providers including OpenAI for extraction. This creates a real privacy and data-governance risk because personal/contact data is transmitted to third parties without any explicit notice, consent flow, minimization, or policy controls in the script.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal