ClawHub

AlphaLens API

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate AlphaLens API skill, but it deserves review because it can send proprietary documents and change pipeline data without clear in-skill confirmation or retention guidance.

Install only if you intend the agent to use your AlphaLens account for market research and pipeline enrichment. Before using upload or pipeline features, confirm what data will be sent, avoid secrets or regulated documents unless approved, and verify AlphaLens retention and deletion terms. For routine search and mapping workflows, the observed behavior is purpose-aligned and not malicious.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The page advertises document ingestion, upload, email forwarding, and API submission of pitch decks and other proprietary materials, but it does not provide any clear user-facing disclosure about storage, retention, model training, access controls, or handling of uploaded confidential data. In a deal-origination and private-market context, users are likely to submit sensitive company and investor information, so omission of these safeguards can lead to unsafe data sharing decisions and potential confidentiality, compliance, or contractual breaches.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file documents document-upload and binary-upload endpoints without warning that submitted content leaves the local environment and may contain sensitive or regulated data. In an agent skill context, this omission is risky because the agent may be induced to upload user-provided files by default, creating unintended data exfiltration to a third-party service.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes generic business phrases such as 'white space', 'blue ocean', and 'market gap' that can appear in ordinary discussion outside an AlphaLens-specific request. In an agent setting, overly broad activation can cause the skill to run unexpectedly, leading to unintended API calls, data disclosure to AlphaLens, and incorrect workflow routing.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal