ClawHub
Back to skill

Security audit

jike-geo

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent marketing/GEO research skill, with the main risk being that it may use web search on business details the user provides.

Install only if you are comfortable with the skill using web search or related external services for company, product, and competitor research. Do not provide confidential launch plans, private strategy, customer data, or unreleased product details unless you are willing for that context to leave the local agent environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description is broad enough to trigger on many generic brand, ranking, monitoring, content-generation, or competitor-analysis requests, increasing the chance of accidental invocation outside the user's intent. Over-broad routing can cause unnecessary exposure of sensitive business information to the skill's backend or lead the agent to perform external actions without sufficiently specific consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions explicitly tell the agent to enrich missing company details through online searches, but the skill does not warn users that company names, product names, competitor information, and related context may be sent to third-party services. This creates a data disclosure and privacy risk, especially for confidential product launches, internal brand strategy, or sensitive competitive intelligence.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly tells the agent to proactively use network search to fill missing company fields, but it does not require user consent or warn that user-provided business details may be sent to external services. This creates a real privacy and data-governance risk because sensitive business context, brand plans, or unpublished product information could be disclosed to third-party search providers without clear authorization.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.