ClawHub

Visit Management

Security checks across malware telemetry and agentic risk

Overview

This skill openly reads a local customer Excel ledger to create visit plans and reminders, with sensitive but purpose-aligned local persistence and no evidence of hidden exfiltration or malware.

Install only on a machine authorized to access the listed customer workbook. Before enabling cron or WeCom delivery, confirm who can read the generated JSON files and chat messages, restrict filesystem permissions, rotate or protect any webhook key, and fix the unit-number versus tenant-name matching bug to avoid sending the wrong customer context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
A visit-reminder skill that also reconstructs customer profiles and aggregates fee, energy, and repair information violates least-privilege and expands access to sensitive business data. Even without code execution abuse, this broadens the blast radius of misuse or accidental disclosure beyond what users would reasonably expect from the skill name and description.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill pulls together cross-domain tenant data—billing, energy, repair, service history, and contract status—without a clearly documented need for all of it to perform reminder generation. This aggregation increases sensitivity significantly, enabling rich profiling of tenants and raising the risk of privacy violations, unauthorized business intelligence exposure, or oversharing when outputs are pushed to external systems.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The code claims to operate on unit numbers but compares tenant-name columns against unit_no in follow-up and detail lookup functions. This identifier mismatch can cause incorrect record association, leading to wrong customer data being attached to visit plans, follow-up status, or quality evaluations, which is a security-relevant integrity issue when handling sensitive operational data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly describes pushing visit plans to WeCom and includes a webhook configuration, but it does not warn that tenant names, unit numbers, risk signals, and possibly other sensitive operational data will be transmitted to an external messaging endpoint. This creates a meaningful exfiltration and privacy risk, especially if webhook destinations are misconfigured, shared broadly, or compromised.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code writes customer visit plans containing identifiers, names, room numbers, schedules, and visit purposes to a predictable local path in plaintext JSON. In this skill context, the data is business/customer operational information from a real Excel ledger, so local persistence increases the risk of unintended disclosure to other local users, backups, logs, or processes on the host.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill writes daily reminder data with customer scheduling information to disk in plaintext JSON under a predictable path. Because the skill handles real visit schedules and customer context, this persistence can expose sensitive operational details and increase the attack surface if the host is shared or compromised.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal