ClawHub

Pilot Sales Pipeline Setup

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed sales-pipeline setup guide, but users should treat the lead, outreach, CRM, and Slack data flows as sensitive business data.

Before installing, review each referenced pilot-* dependency, confirm Pilot and ClawHub binaries are trusted, verify each peer before handshakes, restrict CRM/Slack/email credentials, avoid unnecessary personal data in examples or tests, and ensure lead collection, tracking, retention, and outreach comply with your company policy and applicable law.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly describes transmitting lead, contact, engagement, CRM, and forecast data across multiple agents and external systems, but provides no guidance on data minimization, lawful basis, consent, retention, or handling of PII/business-sensitive information. In a sales-pipeline skill, this omission is security-relevant because users are encouraged to operationalize real customer and prospect data flows to webhooks and Slack, increasing the chance of privacy violations or unintended disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example commands use realistic prospect and contact payloads, including a named company, domain, contact email, engagement state, deal value, and forecast details, without any warning that these commands simulate transmission of sensitive business/contact data between agents. Because the skill is specifically designed for sales automation, users may copy these patterns directly into production workflows and normalize unsafe handling of prospect data.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill is designed to move lead, enrichment, engagement, and CRM update data across multiple agents and to external systems, but it provides no privacy, consent, or data-integrity warning. In a sales pipeline context, this can expose personal or commercially sensitive information to unintended recipients or third-party systems if users do not understand what data is being transmitted.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal