ClawHub

07 Risk Dashboard

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only internal risk dashboard skill, with no code execution or credential access, but automated report delivery should be configured carefully.

Install only for internal risk-management use. Verify the missing referenced SOP and glossary documents, provide only data the user is authorized to analyze, and require explicit approval before automating report pushes, escalations, supplier actions, or any external sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger condition includes a broad natural-language query like “当前最高风险是什么”, which can easily overlap with ordinary conversation and cause unintended invocation. In a risk-management skill, accidental activation can surface sensitive internal operational summaries to users or contexts that did not explicitly request this workflow.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The automatic push behavior is described with vague conditions like generating and sending reports when there is 'new data', without defining thresholds, audience restrictions, or suppression logic. Ambiguous automation around internal risk reports can lead to over-broadcasting, notification storms, or delivery of sensitive information to unintended recipients.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill specifies automatic push and real-time alerts for internal risk data but does not define visibility boundaries, permitted recipients, or transmission safeguards. Because the content includes potentially sensitive complaints, incident severity, supplier risk, and estimated financial loss, unscoped delivery creates a meaningful risk of internal data leakage or unauthorized disclosure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal