ClawHub

Phy Founder Fundraising

Security checks across malware telemetry and agentic risk

Overview

This is a text-only fundraising coaching skill with no executable behavior, credentials, persistence, or hidden data access found in the supplied evidence.

Install this if you want fundraising and investor-communications coaching. Review generated investor materials carefully before sending, prefer explicit fundraising-related prompts to avoid accidental activation, and specify the desired language when drafting investor-facing messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger definition is overly broad because it includes generic fundraising phrases and especially the standalone term "raise," which can match many unrelated contexts and cause accidental invocation. In an agent system, unintended activation can route users into domain-specific guidance they did not ask for, creating confusion, privacy leakage into the wrong skill context, or inappropriate investor/fundraising advice in unrelated conversations.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The examples show Chinese-language user inputs but return English-only outputs without checking the user's preferred language, which can lead to responses in an unexpected language. This is not a classic security flaw, but in practice it is a safety and quality issue that can mislead users, cause them to send investor communications in the wrong language, or expose embarrassing operational mistakes in high-stakes fundraising contexts.

VirusTotal

No VirusTotal findings

View on VirusTotal