ClawHub

customer-onboarding-guider

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only customer onboarding guide with no code or hidden actions, though users should handle identity, network, and transaction-test details carefully.

Safe to install as a reference guide. Before following it operationally, confirm the process with the bank, share identity and infrastructure details only through approved secure channels, and perform any real transaction validation only with business approval, small amounts, monitoring, reconciliation, and rollback readiness.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill description and usage conditions are phrased broadly around common customer-support questions such as '如何对接' and '流程是什么', which can match many routine conversations outside the intended narrow onboarding context. This can cause unintended skill activation, leading the agent to provide procedural integration guidance when a different workflow or safer routing would be more appropriate.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The usage section lists example triggers for full-flow questions and step-specific questions, but does not constrain when the skill should not run. In an agent setting, ambiguous trigger patterns can override more suitable skills or expose internal process guidance to unrelated users, increasing the risk of misrouting and incorrect responses.

Vague Triggers

Low
Confidence
76% confidence
Finding
Responsibility-related prompts like '我们需要做什么' and '银行负责什么' are highly generic and likely to appear in ordinary business conversations. While the content here is informational rather than directly sensitive, the broad matching increases unintended activation risk and may cause confusing or contextually wrong guidance.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document instructs customers to submit network environment details, IPs, ports, and server configuration information, which are sensitive infrastructure details that can increase attack surface if collected or shared without clear handling safeguards. In a customer-onboarding context this is operationally necessary, but the lack of guidance on secure transmission, least disclosure, retention, and access control creates a real information-security weakness rather than a purely stylistic issue.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The onboarding guide requires production validation using real transactions but does not include safeguards around transaction amount limits, approval requirements, rollback/reconciliation, or protection of real customer/account data. In this skill's context, real-production verification may be legitimate, but omitting operational safety controls can lead to unintended financial impact, data exposure, or integrity issues during go-live.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal