ClawHub

raai-price-probe-zero-20260421

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real customer-support automation skill, but its naming and package metadata are inconsistent and it can affect customer data, CRM records, replies, and refunds without enough control guidance.

Review before installing. Confirm you intended AI-Поддержка PRO customer-support automation despite the price-probe-zero naming. Fix or understand the installer/package inconsistencies, disable CRM writes, auto-refunds, and customer-facing sends until approval gates are configured, and use only least-privilege API/CRM/Telegram credentials with redaction, retention, and escalation-channel rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes automated processing of customer support tickets, CRM-linked customer data, routing, escalation, and reporting, but does not warn about handling personal data, sensitive customer content, or the need for human review in higher-risk cases. In a support context, this can lead operators to deploy the skill on real customer conversations containing PII, account details, or complaint histories without adequate privacy controls or oversight.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises automated customer replies and refund handling as standard modes without clearly requiring approval gates or review for financially or reputationally significant actions. In practice, this can cause unauthorized refunds, incorrect customer commitments, or harmful responses to angry customers, creating direct financial loss and customer trust damage.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list contains many generic support phrases such as 'тикет', 'helpdesk', 'customer support', and 'поддержка клиентов', making accidental invocation likely in normal conversation. In an agent environment, overly broad activation can cause the skill to process unrelated user content, potentially pulling CRM context or generating actions when the user did not intend to invoke this workflow.

Vague Triggers

High
Confidence
97% confidence
Finding
The module states it should trigger on any incoming customer message, which effectively makes the skill ambient and always-on for a large class of conversations. In context, this is more dangerous because the skill is designed to classify, log, escalate, and personalize using CRM data, so broad activation can lead to unintended data handling and unauthorized workflow execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents broad CRM access, logging, and webhook-driven customer-data handling, but provides no user-facing privacy notice, minimization rules, retention boundaries, or operator authorization checks. In a support context this creates a realistic risk of collecting, exposing, or reusing personal and financial data without sufficient transparency or control.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad, natural-language requests such as "Write response templates" and "Automate our support," which overlap heavily with ordinary user conversations about customer support. In an agent environment, this can cause unintended invocation or routing collisions, making the skill activate outside clear user intent and potentially influence unrelated workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples include realistic-looking personal data such as full names, Telegram handles, email addresses, customer IDs, order IDs, complaint details, and purchase history without any indication that the data is fictitious or sanitized. In a support skill context, this can normalize unsafe handling of customer data, encourage operators to paste real PII into prompts, and create privacy/compliance exposure if the examples are reused with production data.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill is a broad library of ready-made prompts covering many support workflows without clear trigger boundaries, allowed inputs, or exclusions. In an agent setting, this can cause overbroad activation and unsafe use on arbitrary user content, increasing the chance of mishandling sensitive support, payments, complaints, or incident scenarios.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples contain substantial personal and account-related data, including names, Telegram handles, order details, LTV, ticket history, and payment/fraud scenarios, but provide no warning about sensitive-data handling or minimization. This encourages operators or downstream agents to process and replicate real-world personal data in prompts, logs, analytics, or third-party model traffic without proper privacy controls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer writes into a default directory under the user's home and copies multiple files without an explicit confirmation prompt. This is not inherently malicious, but it does modify the filesystem automatically and could surprise users or overwrite expected state in that location, especially if run with an unintended target path.

Ssd 3

Medium
Confidence
96% confidence
Finding
The escalation template instructs inclusion of customer contact details, LTV, prior history, and chronological message excerpts in generated handoff text. That creates a natural-language overexposure risk: sensitive data may be copied into chats, notifications, or logs visible to people or systems that do not need full access, increasing the blast radius of ordinary support operations.

Ssd 3

Medium
Confidence
94% confidence
Finding
The auto-response logic explicitly tells the agent to use historical customer records and CRM data to personalize replies, which raises the chance of disclosing stored personal data back into ordinary conversation or the wrong channel. This is especially risky in support environments where identity may be weakly verified and channels like Telegram or email can be shared or misaddressed.

Ssd 3

Medium
Confidence
97% confidence
Finding
The customer card aggregates personal contacts, purchase history, LTV, support history, behavioral tags, and operator notes into a single generated view. Centralizing this much data in natural-language output increases the risk of oversharing, prompt leakage, unauthorized operator access, and accidental disclosure through copied transcripts or model responses.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
# TONE-OF-VOICE
# ═══════════════════════════════════════════════════ tone: default: "дружелюбный деловой" on_negative_sentiment: "спокойный эмпатичный" on_vip: "персональный профессиональный" on_legal_threat: "нейтральный официальный" address_form: "вы" use_emoji: false response_length: "medium" # ═══════════════════════════════════════════════════
# ВОЗВРАТЫ
# ═══════════════════════════════════════════════════ returns: return_policy_days: 14 return_processing_days: "5-7 рабочих" auto_approve_return_under_rub: 1000 requires_reason_code: true # ═══════════════════════════════════════════════════
# CRM-ИНТЕГРАЦИЯ (опционально)
# ═══════════════════════════════════════════════════ crm: enabled: false type: "bitrix24" # bitrix24 / amocrm / hubspot / freshdesk / zendesk api_url: "" api_key: "" auto_create_ticket: true auto_update_client_card: true required_fields: - "client_id" - "ticket_category" - "priority" - "channel" - "status" # ═══════════════════════════════════════════════════
# КАЧЕСТВО И NPS/CSAT
Confidence
74% confidence
Finding
auto_approve

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal