ClawHub

Trade Show Contact Finder

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Lensmor contact-search skill for trade-show outreach, with privacy and lawful-use considerations users should review.

Before installing, confirm you trust Lensmor with company and role search inputs, protect the LENSMOR_API_KEY, and make sure your use of returned contact and LinkedIn profile data complies with your organization's privacy, marketing, anti-spam, and platform-use rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly describes retrieving and ranking named business contacts from a third-party API, but provides no privacy notice, lawful-use guidance, or disclosure that company names and search criteria will be sent to an external service. In a lead-generation skill, this omission can cause users to unknowingly transmit prospecting targets to a third party and process personal data without appropriate transparency or compliance checks.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description contains broad multilingual trigger phrases such as generic requests to 'find contacts' or 'find decision-makers,' which can cause the skill to activate in contexts the user did not intend. Unintended invocation can send company names and role queries to the external Lensmor API, creating privacy, data-governance, and workflow-integrity risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill does not clearly disclose up front that company names, role filters, and related search inputs are transmitted to the third-party Lensmor service for processing. This lack of transparency can lead users to unknowingly send potentially sensitive business targeting data to an external provider, creating privacy and compliance concerns.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This example operationalizes identification of named individuals, their roles, and LinkedIn profiles for targeted outreach, but provides no guardrails about privacy, lawful basis, consent, anti-spam requirements, or responsible use of personal data. In a sales/prospecting skill, that omission can normalize collection and use of personal profile data for unsolicited contact and increase the risk of privacy, compliance, and harassment misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal