ClawHub

Geo Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a marketing/GEO template package, but its diagnostic and monitoring scripts can produce misleading reports, and its data-handling guidance is under-scoped.

Review before installing. Use this as a content/template aid, not as a trustworthy live diagnostic or monitoring system unless the scripts are completed and validated. Publish only official business contact information, avoid personal employee details, and define privacy controls for any consultation records, phone logs, forms, or user feedback you collect.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The tool advertises that it detects GEO deployment status and generates a remediation checklist, but nearly all checks are static placeholders that always report default values rather than inspecting the target site. This can mislead users into making security or operational decisions based on fabricated diagnostics, creating integrity risk and a false sense of assurance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs publishing detailed address, phone, email, and website information, but provides no guidance on consent, role-based contact data, or limiting exposure of personal information. If operators use personal employee details instead of institutional contacts, the workflow can lead to unnecessary disclosure, spam, phishing, or privacy-law compliance issues.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The monitoring workflow calls for collecting consultation records, phone logs, forms, and user feedback, but does not define retention limits, lawful basis, minimization, access control, or redaction practices. This creates a realistic risk of overcollection and mishandling of user data, especially if free-text submissions or call notes contain personal or sensitive information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal