ClawHub

AgenticCreed SignUP Lead

Security checks across malware telemetry and agentic risk

Overview

This skill transparently submits signup lead details to AgenticCreed, but users should treat it as a personal-data sharing tool.

Install only if you trust AgenticCreed and intend agents to submit lead details there. Before each use, confirm the user wants to send the listed fields, avoid optional sensitive fields such as date of birth or address unless needed, and use a protected, least-privilege API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly transmits highly sensitive personal data including email, name, address, date of birth, phone numbers, and employment details to an external endpoint, but it provides no user-facing warning, consent guidance, or data-handling notice. In an agent setting, this can cause silent exfiltration of regulated personal data to a third party, making the omission materially dangerous rather than a mere documentation issue.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation instructs users to set an API key environment variable but gives no guidance on secure credential storage, scoping, rotation, or avoiding disclosure in logs and prompts. In agent workflows, weak credential-handling guidance can lead to accidental key exposure and unauthorized use of the external service.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is broad and does not define when collecting and transmitting lead data is appropriate, which increases the risk of accidental invocation and unauthorized submission of personal information. Because this skill sends user PII to an external service, vague triggering conditions materially raise the chance of misuse or over-collection.

Missing User Warnings

High
Confidence
97% confidence
Finding
This skill transmits highly sensitive personal data including email, address, date of birth, phone numbers, job title, and joining date to an external endpoint, but it does not provide an explicit privacy warning, consent flow, or data-handling disclosure. That creates a significant risk of unauthorized disclosure, regulatory noncompliance, and user harm if the agent submits data without the user's fully informed approval.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal