ClawHub

Ai Intelligent Live Chat

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only live chat and AI Q&A skill with no bundled executable code, but users should verify the external repository and data-handling practices before running it.

Before installing, inspect the referenced GitHub repository and requirements file, verify the publisher, and decide how customer chat logs, GPT-provider processing, retention, deletion, and staff access will be handled. Do not deploy it with real customer data until those controls are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description and feature list are broad and do not define clear activation constraints, allowed data flows, or operational boundaries. For a live-chat and GPT-integrated support system, this ambiguity can lead to unsafe deployment assumptions, overbroad use, and accidental exposure of customer conversations or model-mediated actions beyond the intended scope.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly advertises chat history and GPT integration but provides no warning about collection, retention, third-party processing, or privacy implications. In a customer-service context, users may disclose sensitive personal, account, or support data, and sending that data to an AI provider or storing transcripts without notice creates substantial privacy, compliance, and data-handling risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description "AI intelligent ai-intelligent-live-chat" is too generic to meaningfully constrain when the skill should be invoked. In an agent ecosystem, vague metadata can cause overbroad matching or accidental invocation in unrelated contexts, increasing the chance the skill is triggered with sensitive user data or performs actions outside user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal