ClawHub

Signup Lead

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends signup lead contact details to a named AgenticCreed API, with privacy precautions users should consider.

Install this only if you intend to send signup lead information to AgenticCreed. Before using it with real people’s data, confirm you have permission, avoid optional sensitive fields unless required, and make sure the API key and destination service are approved for handling that personal information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly documents sending personally identifiable information, including contact details and date of birth, to a public internet endpoint, but provides no privacy notice, consent requirement, data minimization guidance, retention statement, or warning to verify authorization before transmission. In an agent context, this increases the risk of unauthorized disclosure of sensitive user data to a third party, especially if the agent collects or forwards data automatically based on user prompts.

Vague Triggers

Low
Confidence
83% confidence
Finding
The skill description states it creates signup leads via a public HTTP endpoint, but it does not define when the skill should be invoked, what user authorization is required, or what limits apply to submitting sensitive personal data. In an agent environment, vague activation scope can cause the skill to be triggered too broadly, resulting in unintended transmission of PII such as email, address, date of birth, and phone numbers to an external service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal