ClawHub

NUVC — VC-Grade Business Intelligence

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward NUVC API skill, with the main caution that business ideas and pitch text you submit are sent to NUVC for processing.

Install only if you intend to use NUVC's remote API and are comfortable sending the business ideas, pitch text, market notes, or metrics you submit to NUVC. Avoid submitting confidential customer data, regulated data, sensitive investor materials, or proprietary plans unless NUVC's privacy and retention terms fit your needs, and keep NUVC_API_KEY private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger "Score my startup idea" is broad and resembles a normal conversational request, which can cause the skill to activate unexpectedly during ordinary user interactions. In an agent environment, overbroad invocation patterns increase the chance that sensitive or unrelated user content gets routed to this external service without clear user intent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The additional examples like market analysis and startup roasting are phrased as natural-language requests that overlap with common assistant tasks, making accidental invocation more likely. Because the skill depends on an external API, ambiguous triggers raise privacy and data-handling risks by potentially sending user prompts or proprietary business information off-platform unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup section instructs users to obtain an API key and configure it, but the README does not clearly warn that prompts may be transmitted to an external NUVC service for processing. Users may therefore share confidential startup ideas, market plans, financials, or pitch content without informed consent about third-party handling, retention, or exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to send the user's business idea, pitch, financials, or other startup content to an external API service, but it does not clearly warn the user that their data will leave the local environment. This is risky because such content often contains confidential business information, proprietary strategy, fundraising details, or financial metrics, and users may reasonably assume analysis is local unless told otherwise.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `score` command sends user-supplied business idea text to `https://api.nuvc.ai` via `apiCall("POST", "/ai/score", { text })` without an explicit runtime warning or consent prompt. In an agent-skill context, users may assume local processing and inadvertently transmit confidential startup plans, financials, or proprietary data to a third party.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `roast` command transmits arbitrary user-provided pitch text to the remote `/ai/analyze` endpoint without an explicit warning at the point of use. Because users may paste sensitive pitch decks or internal strategy materials, this creates an unintended data-exposure risk to an external provider.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `analyze` command forwards user text and analysis type to NUVC's remote API without a specific disclosure that the content leaves the local environment. Given the skill's purpose, inputs are likely to include market research, competitive intelligence, and financial details that may be sensitive or non-public.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `extract` command sends raw user text to the `/ai/extract` remote endpoint without an explicit warning or consent mechanism. This is risky because extraction workflows often involve pasting rich business descriptions containing metrics, team details, or other confidential structured information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal