ClawHub

Cloud Service Agreement

Security checks across malware telemetry and agentic risk

Overview

This skill transparently helps generate SaaS agreement documents, but users should understand whether their contract details are sent to the hosted service or written temporarily to disk.

Install only if you are comfortable with the selected rendering path. Use Remote MCP only when sharing agreement values with Open Agreements is acceptable; use the local CLI or preview path for more sensitive contracts. If using the local CLI, pin the package version, enforce the documented validation rules, and delete the temporary values file after generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly prefers a remote MCP service for template filling and states that collected agreement data is sent to that server, but it does not require any explicit privacy notice, consent step, or data-handling warning before transmitting potentially sensitive contract terms. Because SaaS agreements commonly contain customer names, pricing, business terms, and legal clauses, silent transmission to a third-party service creates a real confidentiality and compliance risk.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The local CLI path writes collected agreement values to a predictable temporary file under /tmp, which may persist if the process errors or cleanup is skipped. Even though the file is later removed, the workflow does not warn the user that sensitive contract data will be stored locally on disk, creating residual confidentiality exposure on shared or monitored systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal