ClawHub
Back to skill

Security audit

Merge Duplicate Companies

Security checks across malware telemetry and agentic risk

Overview

This appears to be a HubSpot export helper that handles sensitive CRM data, so it is usable but should be run with care.

Install only if you intend to export HubSpot CRM data. Use a narrowly scoped HubSpot private app token, run it in a trusted workspace, choose an access-controlled output location, and delete or protect the generated CSV files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill performs network access, reads environment variables, and writes files, but does not declare any permissions or capability boundaries. This creates a transparency and governance problem: a user or execution framework may not realize the skill can access sensitive tokens, export CRM data, and transmit data off-host, increasing the chance of over-privileged or unsafely reviewed execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script exports potentially sensitive CRM data to local CSV files without any explicit warning, consent gate, classification, retention guidance, or file-permission hardening. Even though this is part of the skill's intended function, company names, domains, owner IDs, lifecycle data, and association counts can become exposed through shared workstations, backups, source directories, or accidental redistribution of the generated files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.