ClawHub

Crm

Security checks across malware telemetry and agentic risk

Overview

This is a local markdown CRM skill that stores and searches contact data as described, with privacy and path-safety cautions but no hidden or malicious behavior found.

Install only if you are comfortable storing contact and relationship information in local agent memory where it can be searched. Avoid storing secrets or highly sensitive notes, review import/export files and output paths, use dry-run for imports, and enable HEARTBEAT reminder checks only if you want recurring CRM notifications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README encourages natural-language ingestion of contact details and automatic creation of contact files inside the `memory/` tree, which is then indexed for semantic search, but it does not clearly warn users that personal data and possibly sensitive relationship notes will be persisted locally and made more discoverable. In a CRM context this can lead to unintended collection, retention, and exposure of personal data, especially if users assume they are just chatting with the assistant rather than authoring searchable records.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text is broad enough that the skill could activate on many ordinary contact- or networking-related requests, potentially causing file writes or data processing when the user did not explicitly ask to use the CRM. In a skill-routing system, ambiguous triggers raise the risk of unintended collection, storage, or modification of personal contact data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill supports importing and exporting contact datasets, including potentially sensitive personal information, without any warning, consent check, or handling guidance. That creates privacy and compliance risk because users may process third-party data or export it to insecure locations without understanding the exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal