ClawHub

Market Inquiry Agent

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only sales inquiry and quotation assistant; its business-data handling is expected for that purpose but users should review and minimize sensitive inputs.

Install only if you are comfortable using an AI assistant to draft business quotations from customer communications. Redact unnecessary personal, financial, and confidential contract details before pasting or uploading, verify prices, certifications, delivery dates, payment terms, and bank details, and require manual review before sending any customer-facing quote or follow-up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly encourages users to paste inquiries, emails, chat logs, documents, and even image text that can contain personal data, customer identities, pricing, banking details, and other confidential business information, but it provides no privacy warning or minimization guidance. This increases the chance of unnecessary disclosure of sensitive third-party data to the agent or downstream systems, especially because the workflow is built around rapid ingestion of raw customer communications.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The language-handling table states that several inquiry types will be output as '中文+英文' or '中文摘要+英文翻译' by default, without indicating user choice or consent. For cross-border sales inquiries, this can expose commercially sensitive customer content to additional audiences or storage contexts through unnecessary translation and duplication, enlarging the privacy and confidentiality surface beyond what the user intended.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal