ClawHub

企服助手 (Enterprise Service Assistant)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent enterprise assistant, but it asks for sensitive business data and notification credentials while giving the agent broad automation and external sharing paths that need careful review.

Install only if you are comfortable giving this assistant access to customer, contract, billing, ticket, and notification data. Keep PROJECT_KB.md private, avoid placing webhook secrets in shared Markdown when possible, use least-privilege test data first, and require explicit confirmation before exports, webhook tests, scheduled reminders, or customer-data lookups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger descriptions use broad phrases such as enterprise repair reports, steward reports, and scheduled monitoring without clearly defining authorization, data scope, or suppression conditions. In an enterprise-service assistant that can access customer, billing, ticketing, and contract data, ambiguous triggers can cause unintended automation, over-collection, or disclosure in the wrong context, especially for group chats and scheduled tasks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly advertises exporting customer ledgers to Tencent Docs but does not present an immediate warning about external data disclosure, permission inheritance, link sharing, or sensitivity of customer financial records. Because this assistant handles tenant profiles, payment collections, and contracts, export functionality materially increases the risk of unauthorized disclosure if users trigger it without understanding sharing consequences.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The phrase `@企服助手 安全检查` defines a simple, broadly matchable trigger for a powerful action ('全面扫描'). In chat environments, broad invocation phrases can be activated unintentionally by quoted text, forwarded messages, or adversarial prompting, causing unauthorized or confusing execution of security-related workflows. In this enterprise-service context, that is more concerning because the assistant may have access to sensitive project knowledge and data-handling functions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The onboarding guide explicitly asks users to configure notification webhook URLs and states the assistant will test the notification channel, but it does not warn users what data may be sent, where it will be sent, or how to limit test payloads. In an enterprise-service context, webhook testing can leak tenant identifiers, business metadata, or operational details to external systems if misconfigured or if the webhook endpoint is untrusted.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs users to provide local paths to business data files and later says the assistant will read the data file to validate configuration, but it does not warn that those files may contain sensitive customer, contract, and financial information. This can normalize broad access to local sensitive data without informed consent, path restrictions, or data-minimization guidance.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The template explicitly prompts users to store a WeCom webhook URL plus email/SMS notification details in a project knowledge base, but it provides no warning that these values are sensitive secrets or personal contact data. In this skill context, the knowledge base is a central workspace artifact likely to be reused, shared, or inspected by the agent, which increases the chance of secret leakage, unintended notification abuse, or exposure of personal contact information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal