ClawHub
Back to skill

Security audit

Startup Adaptation Strategist

Security checks across malware telemetry and agentic risk

Overview

This is a market-research skill whose main risk is that startup ideas may be sent to a named third-party API and recorded in working memory.

Install only if you are comfortable using it for startup-market research. Do not submit trade secrets, unreleased business plans, customer data, or proprietary strategy to the external API or persistent memory unless you trust those data flows and have checked any sanctions, legal, or compliance implications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to perform broad external reconnaissance across search engines, Telegram, GitHub, and review sites without clear scoping, minimization, or authorization boundaries. This can cause unnecessary data collection, expansion of the agent’s effective capabilities, and potentially unsafe interactions with untrusted external content, especially because the searches are open-ended and repeated as part of a workflow.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill directs an outbound POST request to a third-party API service, but the file provides no manifest-level justification, trust boundary description, or data-handling guarantees for what is sent externally. Even if the payload appears limited to idea text, this can leak sensitive user or business information to an unvetted service and creates an avoidable external dependency in the decision pipeline.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal