ClawHub

Performance Review Engine

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only performance review drafting aid, but users should treat employee review and peer feedback data as confidential HR information.

Install only if you are authorized to handle performance-review data. Do not paste unnecessary personal details, protected-class or medical information, raw peer comments, or confidential personnel records unless your organization permits it. Treat outputs as drafts, keep access limited to HR or managers with a need to know, and store final records only in approved HR systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill promises that peer feedback will be anonymized and synthesized, but it does not warn users that small teams, distinctive writing styles, or detailed examples can still allow re-identification. In a performance-review context, this can expose sensitive employment opinions and damage trust, confidentiality, or HR compliance if users rely on stronger anonymity than the system can actually guarantee.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The team analytics dashboard encourages listing promotion candidates, flight risks, and PIP/coaching status without any warning about sensitivity, access controls, or need-to-know restrictions. Those categories are highly sensitive personnel data, and exposing them broadly can create privacy violations, retaliation risk, morale harm, and legal/employee-relations issues if shared outside authorized HR/management channels.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal