ClawHub

Prospect Research Repo

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only prospect research skill that may run web and enrichment searches, with no hidden code or install-time behavior found.

Reasonable to install if you want structured pre-call or outreach research. Use it for explicit prospect-research tasks, and be mindful that it may use connected web or enrichment accounts to gather company and contact information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description includes very broad activation phrases like "research [company]" and "tell me about [company]", which can match ordinary user conversation and cause the skill to trigger when the user did not explicitly intend to invoke it. Over-broad routing can expose company or contact research behavior unexpectedly, waste tool usage, and cause the agent to act on ambiguous prompts without sufficient user confirmation.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example triggers contain ambiguous everyday requests such as "What do I need to know about this company?" and "Tell me about [company] before I reach out," which are common conversational forms and may unintentionally activate the skill in contexts where the user only wanted a brief answer. Because this skill is empowered to perform broad web research and enrichment, accidental triggering increases the risk of unnecessary data gathering, wrong tool invocation, and privacy-sensitive prospect profiling without clear user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal