ClawHub

Lensmor Exhibitor Search

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill uses a Lensmor API key to search trade-show exhibitors, and its external data flow is expected for that purpose.

Install only if you are comfortable sending the company URL, event identifier, and target-audience text you provide to Lensmor. Avoid entering confidential strategy, private customer lists, credentials, or internal documents, and store the Lensmor API key securely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest description contains many broad multilingual trigger phrases such as 'who is exhibiting' and 'find exhibitors' that can match ordinary user requests outside a clearly consented tool flow. This increases the chance of over-triggering the skill and unintentionally sending user-supplied company URLs or targeting criteria to an external service when the user may not realize a third-party API is involved.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs collection of a company URL or target audience and transmission of that data to the Lensmor API, but it does not include an explicit user-facing disclosure before exfiltrating those inputs to a third party. This is a privacy and consent issue because business-sensitive targeting criteria and company information may be sent off-platform without clear notice.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The example includes an authenticated POST request that sends a user-supplied company URL and event context to a third-party service, but it does not disclose that organizational data will leave the local environment. This is primarily a transparency and privacy-consent issue rather than direct code execution, but it can still cause unintended disclosure of business-sensitive prospecting context.

External Transmission

Medium
Category
Data Exfiltration
Content
## API Call

```bash
curl -X POST https://platform.lensmor.com/external/exhibitors/search \
  -H "Authorization: Bearer uak_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
92% confidence
Finding
curl -X POST https://platform.lensmor.com/external/exhibitors/search \ -H "Authorization: Bearer uak_your_api_key" \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal