ClawHub

Nex Crm

Security checks across malware telemetry and agentic risk

Overview

This is a local CRM tool that stores and exports customer data on the user's machine, with no evidence of hidden sharing or destructive behavior.

Install only if you are comfortable storing prospect, contact, notes, interaction history, and deal data in ~/.nex-crm. Treat exported CSV or JSON files as sensitive, keep them out of shared or synced folders unless intended, and ask your agent to confirm before any write or export when your request is ambiguous.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger list contains broad terms like "pipeline," "follow-up," "CRM," "prospects," and "contact Jan," which can appear in ordinary conversation outside the user's intent to invoke this skill. Overbroad activation can cause the agent to enter a CRM workflow unexpectedly and perform state-changing actions such as logging interactions or exposing stored prospect data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill supports exporting all prospect data to CSV or JSON and even gives a filesystem destination example, but it does not require an explicit warning or confirmation about what data will be included or where it will be written. Because CRM records can contain personal and commercial data, silent export increases the risk of accidental disclosure, insecure storage, or unintended sharing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The export command writes full prospect records to JSON/CSV on disk without any warning, confirmation, or privacy safeguard, even though this CRM stores potentially sensitive business and personal data such as contact details, interaction history, follow-up data, and deal values. In a chat-native CRM context, users may trigger exports casually or through automation and unintentionally leave sensitive customer data in plaintext files that can be copied, synced, or exposed by other local processes.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal