ClawHub

Sophiie AI Office Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a clear Sophiie API wrapper that can manage CRM data and send calls or SMS, so it is powerful but not deceptive.

Install only if you intend your agent to manage a live Sophiie account. Use a test or least-privileged API key where possible, and require explicit confirmation before sending SMS or calls, deleting records, or changing customer-facing FAQs and policies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises actions that can send SMS, place calls, and create, update, or delete business records, but it does not clearly warn that these are real external side-effecting operations. In an agent-skill context, that omission is dangerous because users may invoke natural-language commands assuming they are informational, leading to unintended communications, record changes, or privacy-impacting actions against live customer data.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The skill description and invocation guidance are broad enough that ordinary requests like 'call', 'text', 'show leads', or business-management phrasing could trigger this skill unintentionally. Because the skill supports destructive and externally visible actions such as sending SMS, placing calls, and deleting records, accidental activation can cause real-world side effects and data disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The SMS capability is documented without a prominent user-facing warning about external message delivery, recipient impact, or billing/communication consequences. In a skill that can message leads directly, missing warnings increase the risk of accidental outbound communications, privacy violations, and unauthorized contact with customers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal