ClawHub

AI Recruiting Engine

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only recruiting helper whose sensitive hiring workflows are disclosed and purpose-aligned, though real candidate data should be handled carefully.

Reasonable to install for recruiting templates and scorecards. Before using it with real candidates, keep a human responsible for decisions and messages, minimize candidate data, avoid protected-class or sensitive personal information unless legally authorized, secure any pipeline files, and follow applicable employment, privacy, retention, and anti-discrimination rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly promotes resume screening and candidate pipeline tracking, both of which typically involve handling sensitive personal data such as employment history, contact details, and potentially protected characteristics. Presenting these workflows without any privacy, retention, access-control, or legal-compliance warning increases the likelihood that users will process candidate data insecurely or unlawfully.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly authorizes autonomous processing of resumes, public-profile research, pipeline tracking, and drafting outreach, all of which involve handling personal data and profiling candidates. Because it provides no privacy guardrails, consent requirements, retention limits, jurisdictional compliance checks, or anti-bias controls, an agent following this skill could collect, infer, store, and act on candidate data in ways that violate privacy expectations or employment regulations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal