ClawHub

Web3 Target Team Research

Security checks across malware telemetry and agentic risk

Overview

This skill is a web3 lead-research tool, but it also enables persistent autonomous hunting and stores personal contact handles in local files, so users should review it carefully before installing.

Install only if you intentionally want an always-on web3 lead-generation workflow that collects and stores personal Telegram contact data. Before use, remove or tightly limit the cron/auto-respawn behavior, replace hardcoded local paths, set explicit run limits and source limits, and decide how contact records will be retained or deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file changes the skill from user-triggered research into persistent autonomous operation by instructing the agent to continuously respawn subagents. That broadening is dangerous because it can consume resources, continue acting without fresh user consent, and create ongoing background behavior that exceeds the stated purpose of a research skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The cron-based orchestration introduces persistence and automated task management that is not necessary for ordinary web3 team research. In practice, this creates an unattended automation loop capable of repeatedly spawning agents, which increases the risk of runaway activity, policy bypass through delegation, and unmonitored resource use.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The instruction to keep the search running until told to stop creates indefinite autonomous behavior with no natural termination point. That is risky because it encourages long-lived background execution, repeated subagent spawning, and ongoing workspace changes even after the original user request may be complete.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The workflow clearly expands from a bounded research task into ongoing lead-generation, source discovery, and continuous monitoring. That creates an open-ended collection pipeline that can operate far beyond the user's immediate request, increasing privacy, compliance, and abuse risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The instruction to 'RUN 24/7 UNTIL DERRICK SAYS STOP' and to respawn subagents indefinitely authorizes persistent autonomous operation without meaningful bounds. In this context, that can drive uncontrolled data collection, repeated platform access, and large-scale harvesting of personal contact data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The workflow instructs shell commands against local files in `/Users/derrick/...` to deduplicate and inspect prior results, granting access to host-local data not justified by simple web research. This broadens the skill from external research into local filesystem interaction, increasing risk of unintended data exposure and overreach.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The description uses broad prospecting language such as 'building contact lists' and 'researching funded startups,' which increases the chance of accidental invocation in ordinary sales or research contexts. Because the skill performs contact harvesting and parallel subagent activity, unintended activation could trigger collection of personal contact data and downstream automation without the user explicitly requesting that behavior.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The quick-start phrase 'Hunt for crypto teams from [SOURCE]' is highly underspecified and resembles normal user language, making false activation plausible. In this skill, activation is not harmless: it initiates structured lead discovery, Telegram verification, and data aggregation, so vague triggering creates operational and privacy risk.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The start command 'Start crypto hunters targeting [SOURCES]' is another ambiguous natural-language trigger that could be matched from ordinary discussion. Since the command spawns multiple subagents and begins autonomous research activity, unclear activation semantics can cause unintended multi-agent execution and data collection beyond what the user meant to request.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs users to create a cron job and configure auto-respawn behavior, establishing persistence and recurring execution without any prominent warning about ongoing system changes. Persistent automation is dangerous because it can continue harvesting targets, modifying files, and consuming resources after the original session ends, and users may not realize they have installed a self-maintaining process.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The file tells the agent to create and update local workspace files without clearly informing the user that persistent files will be modified. While less severe than the autonomous respawn logic, silent file creation can surprise users, overwrite data, and make the skill perform side effects outside expected read-only research behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cron job is introduced without a strong warning that it will continue to run and respawn subagents until someone manually disables it. This lack of disclosure is dangerous because users may unknowingly enable persistent background automation that keeps consuming resources and acting beyond the immediate task window.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The workflow explicitly directs collecting individual Telegram handles and saving them to a local CSV without any notice, consent framework, minimization, or retention limits. Because these are personal contact identifiers tied to names and roles, the behavior enables covert contact-list building and persistent profiling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instruction to write unsuccessful research attempts and notes to `crypto-no-contacts.csv` still creates persistent records about researched individuals and organizations. Even failed lookups can reveal targeting history, attempted usernames, and profiling notes that should not be silently stored.

Ssd 4

High
Confidence
99% confidence
Finding
This workflow is explicitly designed to identify, verify, and compile individual employees' Telegram accounts for selected crypto companies. In context, that is targeted harvesting of personal contact channels for prospecting or outreach, which materially increases stalking, phishing, spearphishing, doxxing, and social-engineering risk.

Ssd 3

High
Confidence
99% confidence
Finding
The skill not only gathers personal contact data but instructs persisting it into local CSV files alongside names, roles, funding context, and notes. That converts ad hoc scraping into a reusable targeting database, substantially raising the risk of misuse for spam, phishing, harassment, or unauthorized intelligence collection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal