ClawHub

web3-protocol-gtm

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable web3 marketing playbook, but parts of it give under-scoped advice for legally sensitive crypto payments, token launches, and automated outreach.

Review carefully before installing. Treat it as strategic reading material only: do not let an agent use it to launch tokens, place trades, make payments, target sanctioned or restricted markets, send DMs/posts, or use wallet/social credentials without explicit approval, legal/compliance review, and human oversight.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The document explicitly identifies 'users in sanctioned regions' and businesses that 'never touch banks' as a target audience for crypto payments, without any compliance, legal, or sanctions-screening caveats. In a GTM skill, this is dangerous because it operationalizes go-to-market targeting toward potentially prohibited customers and can facilitate sanctions evasion, money laundering exposure, and severe regulatory enforcement.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guidance explicitly encourages monitoring GitHub activity, detecting churn risk, scoring builders, and sending context-aware follow-ups, but it omits any guardrails around notice, consent, lawful basis, data minimization, or opt-out. In a DevRel playbook, this can normalize privacy-invasive profiling and outreach workflows that may violate platform expectations or privacy regulations when implemented at scale.

Missing User Warnings

High
Confidence
95% confidence
Finding
The playbook explicitly advises the operator to 'generate visible trading activity' during the critical post-graduation window without clearly warning that self-trading, coordinated circular trading, or other synthetic volume tactics may constitute market manipulation or wash trading. In a token-launch context, readers may interpret this as an instruction to create misleading market signals, exposing them to regulatory, platform-enforcement, and investor-harm risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The recommended 'coordinated push' with pre-arranged KOL posting can facilitate undisclosed paid promotion and artificially synchronized hype if not bounded by disclosure and anti-manipulation guidance. In the crypto-token setting, coordinated influencer activity is especially sensitive because it can mislead buyers about organic demand and trigger advertising, consumer-protection, and market-manipulation concerns.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal