ClawHub

Web3 PM Interview Skill

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Web3 interview-prep skill with no executable code or requested permissions, but users should redact private data and practice wallet flows cautiously.

Before installing, treat this as a coaching skill, not a wallet tool. Redact names, contact details, compensation, private recruiter messages, internal metrics, non-public company information, raw transcripts, and sensitive asset details. For wallet-flow practice, use testnets, demos, burner wallets, and minimal funds; never share seed phrases or private keys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The FAQ explicitly encourages users to submit resumes, job descriptions, company details, and interview-stage information without warning them to minimize or redact personal, confidential, or proprietary data. In an AI-assisted workflow, this can lead users to disclose PII, sensitive employment data, or non-public company information, creating privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The launch copy explicitly encourages users to feed resumes and job descriptions into an AI system, but it does not warn about personally identifiable information, confidential employer data, or the need to redact sensitive content first. In the context of an interview-prep skill, users are especially likely to paste private resumes, compensation details, contact information, and non-public hiring materials, which creates a meaningful privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The prep plan tells the user to 'Use 3 wallets and complete send, swap, bridge, approve, revoke' without any safety guidance about using testnets, tiny amounts, burner wallets, or the irreversible nature of on-chain actions. In a wallet-interview prep context, this can lead users—especially Web2 candidates with limited Web3 experience—to expose real funds, grant unsafe token approvals, bridge to wrong chains, or interact with malicious contracts while practicing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file solicits resume and background details in a structured intake that can include sensitive personal and professional information, but it provides no privacy notice, minimization guidance, or handling constraints. In an interview-prep context, this increases the chance that users overshare personal data and that downstream systems retain or process it without clear consent or boundaries.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
Including an `english_level` field as a required intake element introduces language-proficiency screening without any context, user choice, or job-related justification. In hiring or interview-prep workflows, this can enable inappropriate proxy evaluation of candidates and create discriminatory outcomes if the field is treated as a default decision factor rather than a contextual communication-prep aid.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
Labeling 'English risk' as a default risk pattern frames limited English proficiency as an inherent candidate deficiency, which can normalize biased screening criteria. In a career-preparation skill, this is especially sensitive because it may shape coaching outputs, rankings, or recommendations in ways that unfairly penalize candidates absent a role-specific business necessity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal