ClawHub

product-picker

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill creates product evaluation reports, sends them back to the current Feishu chat, and optionally starts PPT conversion after user confirmation.

Install this only if you want product evaluation reports saved locally and sent as attachments in your current Feishu conversation. Review the report contents first when they may contain confidential product, strategy, or third-party platform data, and only approve the PPT conversion if you trust the referenced md-to-nanobanana-ppt workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill mandates sending the generated Markdown report as a Feishu attachment but provides no requirement to assess whether the report contains sensitive business, personal, or third-party platform data before outbound sharing. This creates a real data-handling risk because users may assume all collected and derived content is safe to export, leading to unintended disclosure through messaging channels.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This section combines mandatory local file creation with mandatory outbound attachment delivery, yet omits safeguards around retention, access control, and disclosure of locally stored report contents. That makes the risk more concrete than a generic workflow issue, because the skill hard-codes persistent storage and exfiltration behavior without any user warning or policy check.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The PPT-generation step forwards a locally generated Markdown file into another agent workflow without warning that user-generated or scraped content will undergo further processing. This is a genuine but lower-severity issue because it increases the propagation surface of potentially sensitive content, even though it is a downstream processing risk rather than an immediate direct leak by itself.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal