ClawHub
Back to skill

Security audit

SZZG007 Background Investigation

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for background investigations, but it broadly profiles people and generates trust/risk recommendations without enough consent, use-limit, or retention safeguards.

Install only for lawful, authorized, and proportionate investigations. Do not use its scores or recommendations as the sole basis for hiring, credit, access, account, or reputational decisions. Treat generated reports as sensitive personal data: minimize what you collect, store outputs only in access-controlled locations, and define retention and deletion rules before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes comprehensive background investigations and profiling of individuals, including social media analysis, network mapping, trust scoring, and historical activity review, but it does not prominently warn about privacy, consent, retention, jurisdictional, and misuse risks. Although it includes brief 'Ethical Guidelines,' those statements are generic and insufficient for a capability that can facilitate surveillance, profiling, and potentially discriminatory decision-making if deployed without strict controls.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The usage guidance is broad enough to encourage background investigations on essentially any 'customer, blogger, or other individual,' without meaningful narrowing to legitimate, consented, or legally justified use cases. In context, this makes privacy-invasive profiling easier to invoke for arbitrary people, increasing the risk of surveillance, harassment, or unjustified due-diligence style screening.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises detailed profiling, network mapping, risk assessment, and trust scoring of individuals, but does not prominently warn users about the privacy, fairness, and downstream harm risks of compiling such dossiers. Given the subject matter, the absence of a strong upfront warning and safeguards materially increases the danger of misuse for invasive profiling, discriminatory decisions, or reputation-based targeting.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The summary describes a capability for profiling individuals, gathering social media data, and producing risk-scored reports, but it does not meaningfully warn about privacy, consent, data minimization, or reputational harm. In this context, the omission is dangerous because the skill is explicitly designed for investigations of real people, making misuse for surveillance, discriminatory profiling, or unlawful data processing more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The usage examples operationalize investigations against identifiable individuals or handles without any responsible-use warning, approval requirement, or limitation on targets. Because the skill context is background investigation and profiling, these examples materially lower the barrier to privacy-invasive or reputationally harmful use against real people.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tool saves a background investigation report containing profiling and potentially sensitive personal data directly to disk with no consent flow, retention controls, minimization, or warning to the operator. In this skill's context, the entire purpose is profiling individuals, so automatic persistence increases privacy, compliance, and misuse risk if reports are generated on real people or stored insecurely.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The skill is explicitly described as enabling comprehensive background investigation and profiling of customers, bloggers, and other individuals, without any stated consent, lawful basis, scope limitation, or safety guardrails. Because the skill context is targeted profiling of people, this is more dangerous than generic data processing: it normalizes surveillance-style use and can facilitate privacy invasion, discriminatory decision-making, or abusive targeting.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal