ClawHub

Pilot Brand Protection Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent brand-protection setup, but it can deploy agents for legal takedowns and external reporting without clear approval or scoping controls.

Review this carefully before installing. Use it only for a brand-protection deployment you control, pin and review the dependent Pilot skills, verify every Pilot handshake and webhook/Slack destination, and require human legal review before any takedown, platform report, or cease-and-desist action is filed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README instructs users to deploy a system that performs marketplace/social-media scanning, DMCA reporting, and stakeholder reporting, but it does not warn about legal review, privacy considerations, data-sharing boundaries, or the risk of false accusations. In this context, users may operationalize automated enforcement and external reporting without appropriate safeguards, creating compliance, privacy, and reputational harm.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly defines outbound reporting to external stakeholders via Slack/webhooks and external port 443 flows, but it does not instruct the operator to obtain user approval, minimize transmitted data, or warn that scanned violations and enforcement outcomes may leave the local system. In a brand-protection workflow, these reports can contain sensitive evidence, investigation results, or legal-action metadata, so silent external sharing creates a real data-exposure risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal