ClawHub

Continuous User Research

Security checks across malware telemetry and agentic risk

Overview

This skill handles participant research data, but its access, storage, and integrations are disclosed and fit its diary-study purpose.

Install only if you can manage participant consent and secure research-data storage. Enable only the integrations you need, scope tokens narrowly, keep raw entries and attachments separate from shared reports, preserve the consent/privacy language, and set real retention and deletion rules before collecting participant data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The recipe explicitly allows screenshot, photo, and audio attachments and says raw files will be kept in restricted storage, but it does not pair this with a clear user-facing warning not to submit sensitive personal, financial, health, or third-party data. In a continuous user research workflow, attachments can easily contain high-risk incidental data and the absence of explicit participant guidance increases the chance of over-collection, privacy violations, and downstream retention of sensitive material.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The recipe instructs operators to import participant emails and store diary entries, which can contain highly sensitive behavioral and emotional data, but it does not prominently warn about the sensitivity of this data or require stronger handling controls at the point of collection and storage. In a continuous user research skill, this omission is more dangerous because the workflow is specifically designed to accumulate longitudinal participant data, increasing privacy, compliance, and misuse risk if users treat the process as routine operational content rather than regulated personal-data handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal