ClawHub
Back to skill

Security audit

Tob Sales Proposal

Security checks across malware telemetry and agentic risk

Overview

This is a local sales-proposal generator that appears coherent and purpose-aligned, with dependency hygiene and output-file cautions but no evidence of hidden data access or exfiltration.

Install from the reviewed package, prefer deterministic installs using the lockfile, choose a fresh output path such as a new proposal.html, and review or redact customer names, budgets, and pain points before pasting the generated proposal into any external AI or presentation service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "李宁 <lining434@gmail.com>",
  "license": "MIT",
  "dependencies": {
    "commander": "^11.0.0",
    "inquirer": "^8.2.6",
    "chalk": "^4.1.2",
    "handlebars": "^4.7.8",
Confidence
82% confidence
Finding
"commander": "^11.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "commander": "^11.0.0",
    "inquirer": "^8.2.6",
    "chalk": "^4.1.2",
    "handlebars": "^4.7.8",
    "fs-extra": "^11.1.0"
Confidence
82% confidence
Finding
"inquirer": "^8.2.6"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "commander": "^11.0.0",
    "inquirer": "^8.2.6",
    "chalk": "^4.1.2",
    "handlebars": "^4.7.8",
    "fs-extra": "^11.1.0"
  },
Confidence
82% confidence
Finding
"chalk": "^4.1.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"commander": "^11.0.0",
    "inquirer": "^8.2.6",
    "chalk": "^4.1.2",
    "handlebars": "^4.7.8",
    "fs-extra": "^11.1.0"
  },
  "devDependencies": {
Confidence
90% confidence
Finding
"handlebars": "^4.7.8"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"inquirer": "^8.2.6",
    "chalk": "^4.1.2",
    "handlebars": "^4.7.8",
    "fs-extra": "^11.1.0"
  },
  "devDependencies": {
    "jest": "^29.7.0",
Confidence
82% confidence
Finding
"fs-extra": "^11.1.0"

Known Vulnerable Dependency: handlebars==4.7.8 — 8 advisory(ies): CVE-2026-33916 (Handlebars.js has Prototype Pollution Leading to XSS through Partial Template In); CVE-2026-33937 (Handlebars.js has JavaScript Injection via AST Type Confusion); CVE-2026-33938 (Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @part) +5 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
handlebars==4.7.8

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.