ClawHub

Safe

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is purpose-aligned for generating SAFE documents and clearly discloses its remote-service and local-CLI options.

Install only if you are comfortable using either the hosted Open Agreements MCP service or the local CLI. For confidential fundraising terms, choose the local CLI path, pin the CLI version as instructed, and review the generated SAFE with counsel before signing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The workflow instructs the agent to use a remote MCP service for template discovery and document generation, which expands the skill from local document drafting into third-party network transmission and remote file delivery. In the context of fundraising paperwork, users may provide sensitive company, financing, and investor information, so sending this data to an external service without explicit consent or trust disclosure creates a real confidentiality and supply-chain risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes broad terms such as "SAFE," "valuation cap," "seed round documents," and "fundraising paperwork," which can cause the skill to activate in contexts where the user did not specifically request document generation. In this skill, unintended activation is more consequential because it may route sensitive financing data to a hosted remote service or steer the agent into legal-document drafting workflows without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Remote template filling sends user-supplied agreement contents to an external MCP server, yet the workflow does not require an explicit privacy or data-transmission warning. Because SAFE documents can contain confidential fundraising details, this omission can lead users to disclose sensitive legal and business information to a third party without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal