ClawHub

Marketing Drafter

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-only marketing copy helper with expected AI API use, but users should be careful about what data they send to the model provider.

Before installing, verify the npm/PyPI package and repository because the executable package code is not included in this skill artifact. Use a secrets manager or environment variable for the API key, set provider spend limits where possible, and avoid entering confidential customer data, unreleased launch plans, regulated data, or trade secrets unless your organization has approved that AI provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README demonstrates use of a remote AI model via API key but does not disclose that prompts and generated content are transmitted to an external provider. Users may assume processing is local and inadvertently send confidential marketing plans, customer details, or proprietary business data to a third party, creating privacy, compliance, and data-governance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples include realistic customer and company data in prompts without warning users not to include sensitive, confidential, or personal information. In a marketing-generation context, users are especially likely to paste CRM records, prospect data, campaign metrics, or internal business information, which could be exposed to external AI services or mishandled downstream.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill clearly shows use of an external AI model and API key, but it does not warn users that campaign text, product information, customer messaging, or other marketing inputs may be transmitted to a third-party AI provider. This creates a real privacy and compliance risk because users may paste proprietary business plans, unreleased launch details, customer data, or regulated content into prompts without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal