ClawHub

Value Testing Technique Selection

Security checks across malware telemetry and agentic risk

Overview

This is a product-research planning skill, but it includes unsafe guidance to ask users for login credentials to another product.

Review carefully before installing or using. Treat this as a planning reference only, and do not ask participants for passwords, login credentials, credit-card numbers, or third-party contact details. Use safer signals such as test accounts, redacted exports, participant-managed introductions, OAuth or delegated access after review, and consented contact forms with clear retention and opt-out terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs collecting email addresses or phone numbers from volunteers during fake-door and landing-page tests, but it provides no guidance on notice, consent language, retention limits, lawful basis, or secure handling. While collecting contact details can be legitimate in product discovery, omitting privacy safeguards creates avoidable risk of unauthorized use, over-collection, or noncompliance with privacy requirements.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance normalizes installed applications periodically 'calling home' with telemetry and only briefly mentions anonymization and aggregation, without requiring explicit user consent, clear disclosure, retention limits, or compliance with privacy regimes. In a product-strategy skill, that omission can lead teams to implement telemetry in ways that violate user expectations, internal policy, or regulations, especially because this document is framed as prescriptive best practice.

Missing User Warnings

High
Confidence
99% confidence
Finding
The protocol explicitly instructs testers to ask participants for current-product login credentials as a value signal. Even if framed as hypothetical, normalizing credential requests trains unsafe behavior, risks accidental collection of passwords, and can lead to unauthorized access, privacy violations, or policy breaches against third-party services.

Ssd 3

High
Confidence
99% confidence
Finding
The 'access test' explicitly tells operators to ask users for login credentials to a competing product, which is a request for highly sensitive authentication secrets. This is dangerous because it normalizes credential harvesting, can violate terms of service and security policies, and creates immediate risk of account compromise, unauthorized access, and liability if those secrets are stored, transmitted, or misused.

Ssd 3

High
Confidence
99% confidence
Finding
This is a true vulnerability because the natural-language protocol tells staff to request login credentials from users during testing. Such instructions can directly induce insecure collection of secrets and create real opportunities for credential theft, account compromise, and mishandling of regulated or sensitive data.

Ssd 3

Medium
Confidence
87% confidence
Finding
Encouraging users to enter a boss's or colleague's email address as a commitment signal pressures them to share third-party personal data without prior consent. This can create privacy, consent, and trust issues, and may lead teams to collect contact information they have no lawful or ethical basis to process.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal