ClawHub
Back to skill

Security audit

yijianba

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable management-diagnosis skill whose sensitive information use is purpose-aligned, but users should handle company and employee materials carefully.

Before using this skill with real company materials, confirm you are authorized to share them, redact trade secrets and personal data where possible, obtain consent before recording interviews, keep questionnaire responses anonymous or aggregated, and avoid uploading regulated or confidential documents unless your organization has approved that handling process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs collection of enterprise annual reports, management systems, strategy documents, industry materials, and leadership speeches, which can include confidential business information. Because it provides no user-facing warning about confidentiality, minimization, retention, or safe handling, users may disclose sensitive internal data into the agent workflow without understanding the privacy and trade-secret risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill recommends recording interviews and collecting raw questionnaire data while emphasizing broad organizational coverage, but it does not require participant consent or warn that recordings and raw responses may contain personal data, sensitive opinions, or legally protected information. This creates a clear risk of unauthorized surveillance, privacy violations, and over-collection of employee data, especially in cross-level organizational diagnostics.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal