ClawHub

Lensmor Recommendations

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Lensmor API skill for ranking trade-show exhibitors, with the main caution that user-provided ICP and targeting details are sent to Lensmor.

Before installing, confirm your organization permits sending company profile, ICP filters, target-account names, and prospecting criteria to Lensmor. Keep the API key in an approved secret mechanism and avoid including confidential customer data or internal sales strategy unless Lensmor has been vendor-approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that the skill sends company profile and ICP filters to the Lensmor API, but it does not clearly warn users that potentially sensitive business strategy data will be transmitted to a third party. In a sales/prospecting context, ICP definitions, target account lists, and show targeting criteria can be commercially sensitive, so lack of explicit disclosure creates a real privacy and data-governance risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description embeds many broad multilingual trigger phrases such as generic requests for recommendations, which can cause accidental or overly broad invocation in normal conversation. In a user-invocable skill that can make authenticated external API calls, weak invocation boundaries increase the chance of unintended data access, unintended outbound requests, and user confusion about what tool is being activated.

External Transmission

Medium
Category
Data Exfiltration
Content
- Lensmor API key (`uak_your_api_key`) — contact [hello@lensmor.com](mailto:hello@lensmor.com) to purchase
- Base URL: `https://platform.lensmor.com`
- Full API docs: [https://api.lensmor.com/](https://api.lensmor.com/)

## Install
Confidence
84% confidence
Finding
https://api.lensmor.com/

External Transmission

Medium
Category
Data Exfiltration
Content
- Lensmor API key (`uak_your_api_key`) — contact [hello@lensmor.com](mailto:hello@lensmor.com) to purchase
- Base URL: `https://platform.lensmor.com`
- Full API docs: [https://api.lensmor.com/](https://api.lensmor.com/)

## Install
Confidence
84% confidence
Finding
https://api.lensmor.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal