ClawHub

Interview System Designer

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local toolkit for designing interview processes and analyzing hiring calibration, but real candidate and demographic data should be handled carefully.

Install/use is reasonable for internal hiring-process design, but treat outputs as decision-support only. Use synthetic or anonymized data where possible, restrict access to generated reports, review retention requirements, and have HR/legal review any demographic analysis or 'cultural fit' criteria before applying them to real candidates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly encourages analysis of interview results containing protected demographic attributes such as gender and ethnicity, but it does not provide clear privacy, minimization, retention, access-control, or lawful-use guidance. In a hiring context, this can lead users to process highly sensitive employment data insecurely or in ways that create legal, compliance, and confidentiality risk.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The skill explicitly recommends analyzing interview data that includes demographics for bias detection, but it does not scope that collection to lawful, consented, and minimally necessary use. Handling protected-class or demographic data without explicit compliance controls can create privacy, discrimination, and regulatory risk, especially in hiring contexts where such data is highly sensitive.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes processing candidate scores, interviewer feedback, and demographic data without any accompanying warning about confidentiality, sensitive data handling, or legal obligations. In a hiring workflow, this omission is risky because users may supply personal or protected information to the system without understanding storage, sharing, or compliance implications.

Vague Triggers

Low
Confidence
86% confidence
Finding
The guidance to assess 'cultural fit' is underspecified and can invite subjective, non-job-related evaluation criteria. In a hiring/interview skill, that ambiguity can enable interviewer bias, inconsistent decision-making, and potentially discriminatory screening under the guise of fit.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The file explicitly includes 'cultural fit' as an interview objective, focus area, and scorecard dimension without any guardrails defining job-related criteria or anti-bias constraints. In hiring systems, this can enable subjective, inconsistent, and potentially discriminatory decision-making under the guise of evaluation, especially because this skill is specifically intended to standardize interview processes.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
Using 'cultural fit' as an interview objective and scorecard dimension introduces a vague, non-job-related criterion that can enable subjective judgments and bias in hiring decisions. In an interview-system-design skill, this is more dangerous because the output is meant to standardize and operationalize hiring processes, so the problematic criterion may be propagated across interview loops and used repeatedly at scale.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes detailed hiring calibration results to local JSON and text files by default, and those results can include sensitive HR data such as candidate identifiers, interviewer identifiers, demographic categories, bias analyses, and hiring recommendations. Persisting this data to disk without minimization, access controls, encryption, retention guidance, or even an explicit privacy warning increases the risk of unauthorized disclosure through shared workstations, backups, logs, or accidental file distribution.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The guidance explicitly tells interviewers to assess 'cultural fit,' which is a subjective criterion that can become a proxy for affinity bias and other non-job-related judgments. In a hiring-system skill, this is especially risky because it can institutionalize biased evaluation practices across interview loops, rubrics, and interviewer behavior rather than remaining an isolated wording issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal