ClawHub

Pilot Customer Onboarding Setup

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a coherent customer onboarding workflow, but users should be careful about what customer data they send to Slack, webhooks, or dashboards.

Before installing, confirm which customer fields the skill will send to Slack, webhooks, or dashboards; avoid sending unnecessary PII; use least-privilege webhook credentials; and make sure your team has consent, retention, and access-control rules for onboarding and health data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly describes passing customer profiles, onboarding progress, and health reports between agents and to external dashboards/Slack, but it provides no guidance on data minimization, consent, retention, access controls, or handling of personally identifiable and behavioral data. In an onboarding/customer-success context, this omission can lead operators to deploy a workflow that unnecessarily exposes customer data across systems and third-party integrations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly documents sending customer onboarding data to external systems and Slack/webhook destinations, but it provides no warning, consent step, data minimization guidance, or privacy/security controls. In an onboarding context, these payloads can contain customer identifiers, preferences, progress, and health information, creating a real risk of unintended disclosure to third parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal