ClawHub

One Page CV

Security checks across malware telemetry and agentic risk

Overview

This resume skill is mostly coherent, but it needs Review because it can inspect resume files on broad triggers and explicitly encourages unsupported resume claims.

Install only if you are comfortable supervising its outputs closely. Review every generated metric, claim, name choice, and language choice before using the resume; replace unsupported estimates with verified facts. Approve package installs, font downloads, or file moves only after checking the exact command and affected files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill goes beyond resume tailoring by directing the agent to check for, recommend, and potentially assist with installing XeLaTeX and fonts from system package managers and external sources. Even with a permission prompt, this expands the operational scope into system modification and third-party software acquisition, increasing the risk of unnecessary privileged actions and supply-chain exposure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to offer moving the user's original resume files into a different folder, which is unrelated to the minimum functionality required to generate a tailored resume. Modifying the user's file layout can cause confusion, break other workflows, or lead to accidental mishandling of source documents.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger conditions are extremely broad, including vague career-related contexts and even passive detection of resume files in the working directory. This can cause the skill to activate when the user did not ask for resume generation, leading to unintended file inspection and resume-related actions in unrelated conversations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill includes file-moving instructions framed as a cleanup convenience, but does not provide a strong, immediate warning that user files will be modified. Users may interpret this as a harmless suggestion while the agent performs destructive or workflow-altering filesystem actions.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
Mandating use of a Chinese or English name based on JD language overrides the user's personal identity preference and may generate inaccurate application documents. This is particularly risky for candidates who intentionally use a specific professional name across markets.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
Mandating use of a Chinese or English name based on JD language overrides the user's personal identity preference and may generate inaccurate application documents. This is particularly risky for candidates who intentionally use a specific professional name across markets.

Ssd 4

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to invent metrics when they are missing and to strategically reframe experience to appear like a stronger fit. This encourages fabrication in a job application context, which can mislead employers and cause reputational, compliance, or fraud-related consequences for the user.

Ssd 4

Medium
Confidence
90% confidence
Finding
The career-changer guidance normalizes 'creative' reframing of experience to fit a role, which can push the agent toward misleading representation rather than honest emphasis of transferable skills. In employment documents, that context makes embellishment more dangerous because the output is intended to influence screening and hiring decisions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal