ClawHub

Returns Reverse Logistics

Security checks across malware telemetry and agentic risk

Overview

This is a returns-operations reference skill with no hidden execution or system access, but users should apply privacy and human-review controls before using it with real customers.

Safe to install as a reference skill. Before using it in production, treat templates as drafts, minimize customer data shared with manufacturers, use approved secure channels, and require human or audited policy controls for refunds, denials, fraud holds, and returnless refunds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill content recommends researching a customer's social media, correlating returns with photographed events, and monitoring posts after policy changes. That is a real privacy-risk behavior because it encourages collection and use of external personal data without consent, necessity limits, or governance, and could lead to discriminatory profiling or improper surveillance of customers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The warranty-claim template explicitly sends customer-identifying and product-identifying information to a manufacturer, including name, order number, serial number, purchase date, defect details, and customer statements, but the surrounding guidance does not require data minimization, customer notice, consent, or verification of an approved data-sharing basis. In a real deployment, agents could forward more personal data than necessary to third parties, creating privacy, compliance, and confidentiality risk if the manufacturer does not need all fields or if the disclosure is not authorized.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
Customer initiates return on website/app
  │
  ├── Automated policy check (within window? excluded category? customer in good standing?)
  │     ├── Auto-approve → Generate RMA + prepaid return label
  │     ├── Auto-deny → Display denial reason + alternatives
  │     └── Manual review queue → Agent reviews within 4 hours
  │
Confidence
82% confidence
Finding
Auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
Return shipping cost estimate > 40% of product value?
  ├── Yes → Evaluate returnless refund
  │     ├── Product value < $50 → Auto-approve returnless refund
  │     ├── Product value $50-100 → Supervisor auto-approve
  │     ├── Product value $100-200 → Manager review (consider partial return — just the defective component)
  │     └── Product value > $200 → Case-by-case (may justify return shipping for high-value)
  │
Confidence
88% confidence
Finding
auto-approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal