ClawHub

Legal Cog

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legal drafting helper that uses the external CellCog service, with privacy caution needed but no evidence of hidden execution or data theft.

Install only if you are comfortable using CellCog for legal drafting. Do not submit privileged, confidential, regulated, or unnecessary personal information unless your policy and agreements permit it; redact sensitive facts where possible and have any important legal output reviewed by a qualified attorney.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest description advertises very broad legal-document and research capabilities without clear scope limits, trigger conditions, or prominent guardrails. In a legal-focused skill, that breadth increases the chance users will invoke it for high-risk matters and disclose sensitive facts, while the vague description does not sufficiently constrain use or set expectations about external processing and review requirements.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages users to submit detailed legal prompts that may contain contracts, personal information, health data, employment details, investor information, or other confidential material to an external service, but it does not clearly warn about that data transfer where users are being instructed how to use the tool. Because legal workflows often involve privileged or highly sensitive data, omission of an explicit external-sharing warning materially raises confidentiality, privacy, and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal