ClawHub

Afrexai Regulatory Compliance.Skip

Security checks across malware telemetry and agentic risk

Overview

This is a text-only compliance checklist skill with no code execution, credentials, persistence, or hidden data flows, but users should avoid sharing sensitive records and should not treat it as legal advice.

Install only if you want a manual compliance-audit checklist and report structure. Use sanitized summaries instead of raw customer data, PHI, payment card data, secrets, legal privileged material, or employee records. Verify framework applicability, deadlines, costs, and regulatory interpretations with qualified counsel or compliance professionals before relying on the output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase invites users to submit arbitrary company descriptions without any invocation constraints, scope limits, or safety boundaries. In a compliance-audit context, this can prompt the agent to process sensitive operational, legal, security, or regulated data too broadly and increases the chance of over-collection or misuse of confidential information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README encourages running audits on company-specific compliance posture but does not warn users against including sensitive data such as employee records, customer PII, HIPAA-related information, security controls, or audit evidence. Because compliance workflows routinely involve regulated and confidential material, the absence of data-handling warnings materially increases the risk of inappropriate disclosure to the agent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill promises a full regulatory compliance audit for 'any business,' which overstates capability and omits important boundaries such as jurisdictional limits, need for licensed legal/compliance review, and situations where the checklist is insufficient. Users could rely on it as authoritative guidance and make decisions that miss sector-specific or country-specific obligations, creating legal and operational exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill invites analysis of highly sensitive information including customer data, employee data, PHI, card data, and financial controls, but provides no instruction to minimize, redact, or securely handle regulated data. In practice this can cause users to paste confidential or regulated information into the agent unnecessarily, increasing the risk of privacy breaches, unauthorized disclosure, or downstream noncompliance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal