ClawHub

FLWR Branding Studio Kit

Security checks across malware telemetry and agentic risk

Overview

This branding skill appears to be a normal local project scaffold and AI prompt guide, with privacy cautions for client materials.

Install only if you want a local branding-project scaffold. Run it from the workspace where you are comfortable creating clients/<Client_Name>/ folders. Put only authorized, minimized client materials in client_intel, redact sensitive details where possible, and do not upload transcripts, emails, briefs, or proprietary plans to external AI tools unless your client and organization permit it. Treat the ClawHub token instructions as maintainer-only publishing setup and keep any token in a secret store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to place raw client intelligence including meeting notes, interview text, briefs, emails, and competitor material into the project without any privacy, retention, consent, or data-handling warning. In a branding workflow, this context often contains sensitive business or personal data, so encouraging ingestion without safeguards increases the risk of unintended disclosure to the model, local workspace tools, logs, or synced services.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrase 'Start branding project' is broad natural language that could be invoked unintentionally during normal conversation, causing the skill to activate and perform setup actions without clear user intent. Because the skill appears capable of creating directories and initializing files, accidental activation could lead to unwanted filesystem changes or workflow side effects.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The natural-language trigger "Start branding project" is broad enough that it could be invoked during normal conversation, causing unintended execution of the setup workflow. In a skill that creates directories and copies templates, accidental activation can lead to unauthorized file modifications, workspace clutter, or confusing side effects without explicit user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly recommends recording meetings, producing full transcripts, and uploading those transcripts and supporting documents to Claude, but it provides no guidance on consent, confidentiality, data minimization, or handling sensitive client information. In a brand strategy workflow, these materials can contain proprietary business plans, personal data, and confidential communications, so normalizing bulk upload to a third-party AI service increases privacy, contractual, and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal