ClawHub

Intelica — Competitive Intelligence

Security checks across malware telemetry and agentic risk

Overview

This is a remote paid competitive-intelligence API skill; its purpose and endpoint are clear, but users should control what business context is sent and approve paid calls.

Install only if you are comfortable sending competitor URLs, company descriptions, and strategic context to Intelica's remote service. Configure your agent to ask before paid x402 calls, avoid confidential acquisition or partnership plans unless authorized, and use the free demo or budget controls first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger is written broadly enough that an autonomous agent may invoke this skill for many loosely related strategic or monitoring tasks, increasing the chance of unnecessary calls to an external paid service. In this skill, broad invocation is more concerning because requests may include sensitive business context, competitor data, and URLs that are transmitted to a third-party endpoint.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The 'When to use' guidance encourages invocation for broad business-analysis scenarios rather than tightly scoped tasks, which can cause agents to overuse the skill or send data by default. Because the service is remote and monetized, this expands both privacy exposure and financial risk from unintended or repeated invocations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation instructs users to POST company descriptions, URLs, context, and agent messages to a remote endpoint but does not prominently warn that this information leaves the local system and is processed by a third-party service. In a competitive-intelligence context, the omitted warning is more dangerous because submitted data can contain confidential strategy, acquisition interests, partnership plans, or other sensitive business information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal