ClawHub

SZZG007 Web Deep Research

Security checks across malware telemetry and agentic risk

Overview

This is not obvious malware, but it needs review because it enables broad customer and decision-maker background research without clear privacy or consent limits.

Install only if you will use it for legitimate, scoped business research. Before any customer background check, confirm authorization, avoid personal identifiers unless necessary and lawful, restrict allowed sources, minimize personal data, and clear any caches containing sensitive topics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad, everyday requests such as market research, company background checks, and product review searches, which can cause the skill to activate unintentionally in normal conversations. In this skill's context, accidental invocation is more dangerous because it initiates wide-ranging web research and customer background investigation across many platforms, potentially causing unintended data collection and external API usage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly supports customer background checks and cross-platform aggregation but does not disclose privacy implications, lawful basis, retention, or handling of personal data. This is dangerous because the documented use cases include gathering company and decision-maker background information from multiple sources, which increases the risk of privacy violations, non-compliant profiling, and misuse of personal or sensitive information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal