ClawHub

保险保单分析助手

Security checks across malware telemetry and agentic risk

Overview

This insurance-analysis skill is coherent, but it asks for sensitive health, family, income, debt, and policy-document details without enough privacy, redaction, or opt-in safeguards.

Review this skill before installing if you plan to share real policy documents or personal details. Use it only for deliberate policy analysis, provide the minimum information needed, and redact identifiers such as policy numbers, ID numbers, addresses, phone numbers, claim numbers, and unrelated health or financial details from screenshots or text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough to match routine insurance-related conversation, which can cause the skill to activate when the user did not explicitly request policy analysis. In a skill that solicits sensitive personal, financial, family, and health information, over-triggering increases the risk of unnecessary data collection and inappropriate context switching.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This questionnaire solicits highly sensitive personal data, including health conditions, income, debt, family structure, and detailed insurance policy information, but provides no privacy notice, data minimization guidance, consent language, retention limits, or handling restrictions. In a skill that asks users to upload policy screenshots or text descriptions, this creates a meaningful risk of unnecessary collection, overexposure of regulated or sensitive data, and downstream misuse if the data is stored, logged, or shared insecurely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal