ClawHub

Company Profiling Zhcn

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed PatSnap pharmaceutical company research workflow, with expected use of PatSnap MCP services and optional web search.

Install only if you intend to use PatSnap's life-science MCP service for pharmaceutical company intelligence. Use a dedicated or revocable PatSnap API key, verify the MCP endpoint before adding it, and avoid submitting confidential research or business strategy questions unless your organization permits sharing them with PatSnap and any web search provider used for fallback research.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description says it should be invoked whenever a user asks about a pharmaceutical company, covering broad topics like company overview, pipeline, deals, and patents, but it does not define clear boundaries or exclusions. This can cause over-broad activation, leading the agent to unnecessarily access external MCP data, perform unintended profiling, or answer with this skill when a narrower or safer skill would be more appropriate.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The path trigger conditions use loose keyword-style phrases such as '公司简介', '融资', '能力', '核心产品', '技术交易', and similar terms without scope controls. An attacker or ambiguous user prompt could accidentally or deliberately trigger unrelated modules, causing excessive data retrieval, broader-than-needed company analysis, and increased exposure to external-system calls or sensitive business inferences.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal