ClawHub

Automation Workflows

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only workflow automation guide; its main risks are normal privacy and account-permission cautions when connecting business tools.

Install if you want general automation workflow guidance. Before following the examples, review what each connected app can read or change, authorize only the minimum needed access, avoid sending sensitive customer or payment data to spreadsheets or notifications unless necessary, test with sample data first, and periodically turn off unused automations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to match ordinary conversation such as 'save time' or 'automation,' which can cause the skill to activate in contexts where the user did not specifically request workflow automation guidance. Over-broad activation is dangerous because it can inappropriately steer users into operational advice involving third-party tools, credentials, and data-moving workflows without sufficiently clear intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill repeatedly recommends workflows that transfer customer, payment, usage, and CRM data across multiple services, but it does not warn about privacy implications, least-privilege access, consent, retention, or the risk of unintended writes. In practice, users could expose personal or financial data to unnecessary third parties or create harmful automated changes across systems without understanding the security and compliance consequences.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal