ClawHub
Back to skill

Security audit

Placed Interview Coach

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed interview-coaching integration that sends interview content to Placed and stores a Placed API key locally, so it is usable but requires privacy and credential caution.

Install only if you trust Placed with your interview-preparation data. Prefer a revocable or dedicated API key, remove or protect ~/.config/placed/credentials when no longer needed, and avoid sending confidential employer, client, or personal details in answers or saved STAR stories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs saving a user-provided API key in plaintext under the home directory and reusing it in future sessions without any warning, consent flow, or file-permission guidance. This creates a real credential-handling weakness because local compromise, backups, shell access, or other tools on the machine could expose the token and enable unauthorized API use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill is explicitly designed to send interview data, resumes, answers, and identifiers to a third-party remote service, but it provides no privacy notice or consent step before transmitting potentially sensitive career information. In this context, users may reasonably disclose resumes, employer targets, and behavioral stories that contain personal or confidential data, so silent transmission is a genuine privacy risk.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instructions direct the agent to persist and later reuse a user API key across sessions, which expands the blast radius of any compromise and normalizes long-term secret retention outside managed secret storage. Because this is an interview-coaching skill rather than a system-administration tool, persistent credential storage is not necessary for core functionality and increases risk without clear justification.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal