ClawHub
Back to skill

Security audit

Zen Founder Fundraising Agent

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it sends user-provided pitch deck text to Zen.GP for investor matching and does not include hidden code or unrelated access.

Install only if you intend to share pitch deck content with Zen.GP. Redact confidential financials, customer data, or strategy details unless you are comfortable sending them to that service, and keep the API key secret and rotate it if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages users to submit full pitch deck content for analysis, but it does not clearly warn that this sensitive business information will be transmitted to Zen.GP, an external third-party service. Pitch decks commonly contain confidential financials, strategy, customer data, and fundraising plans, so users may disclose sensitive information without informed consent.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The setup instructions tell users to configure an API key but do not include guidance on secure credential handling, such as avoiding hardcoding, limiting sharing, or rotating exposed keys. While this is common documentation behavior, omission of even basic warnings can increase the likelihood of accidental credential exposure in logs, screenshots, or shared config.

External Transmission

Medium
Category
Data Exfiltration
Content
Combined operation - analyze pitch and get investor matches in one call.

```bash
curl -X POST https://zen.gp/api/v1/founder/analyze-and-match \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $ZEN_FOUNDER_AGENT_API_KEY" \
  -d '{
Confidence
97% confidence
Finding
curl -X POST https://zen.gp/api/v1/founder/analyze-and-match \ -H "Content-Type: application/json" \ -H "X-API-Key: $ZEN_FOUNDER_AGENT_API_KEY" \ -d '{ "content": "<pitch deck text content>"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal