ClawHub
Back to skill

Security audit

Stainless Steel Sop

Security checks across malware telemetry and agentic risk

Overview

This is a coherent business-trip SOP generator, with the main caution that customer and travel details may be sent to external lookup services.

Before installing or using this skill, confirm that you are allowed to share the customer names, addresses, contacts, and travel dates with any configured search, map, ticketing, weather, or enterprise-data providers. Verify the dependent skills/APIs separately and review generated SOPs before acting on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly describes verifying customer addresses and collecting contact details via network search, but it provides no privacy notice, consent guidance, retention limits, or handling rules for potentially sensitive business contact data. This creates a real risk that users will transmit customer information to external services without understanding the disclosure or complying with internal privacy obligations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill relies on several third-party APIs for rail, maps, weather, and enterprise lookups, which likely involves sending itinerary, location, and customer visit information to external providers. Without an explicit warning or disclosure, users may unknowingly expose sensitive travel plans and customer relationship data to third parties, increasing privacy, confidentiality, and vendor-risk concerns.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal