ClawHub

Tender Analyzer Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate tender-analysis skill, but it asks users to submit sensitive bid materials and includes relationship-based procurement strategy without enough compliance safeguards.

Review before installing. Use only redacted excerpts or approved non-confidential materials, avoid private document URLs unless authorized, and treat any relationship-based bidding advice as a compliance red flag rather than a recommended tactic.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document explicitly includes '关系深浅', '关系导向型', and a '关系策略: 加强本地合作' recommendation within a bidding-analysis framework. In procurement contexts, guidance that factors personal relationships into winning strategy can normalize unfair influence, collusive behavior, or corruption-adjacent conduct, making the skill more dangerous because it is framed as practical decision support rather than abstract discussion.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly instructs users to paste full tender and bid documents for automatic analysis, but provides no warning to redact confidential business information, personal data, pricing strategy, trade secrets, or procurement-sensitive content first. In this skill context, that omission is meaningfully risky because tender/bid documents commonly contain proprietary pricing, internal qualifications, contact data, and contractual details that should not be broadly disclosed to an AI system without review.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal