ClawHub

获取职位信息并总结

Security checks across malware telemetry and agentic risk

Overview

This job-crawling skill fits its stated purpose, but it asks for control of a logged-in browser session and local environment changes without enough boundaries.

Review before installing. Use only a dedicated Chrome profile or account for this workflow, keep no unrelated sessions in that browser profile, approve any Python or package installation manually, and restrict outputs and historical comparisons to a dedicated folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill instructs writing crawled data, summaries, and HTML/TXT outputs to local files but does not declare corresponding permissions. Undeclared file-write behavior reduces transparency and informed consent, making it easier for a skill to modify the user's workspace unexpectedly. In this context the writes are central to the workflow, but they should still be explicitly declared and constrained.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill claims to summarize user-requested job data, but the instructions also authorize connecting to an existing Chrome remote-debugging session on 127.0.0.1:9222, using a logged-in recruitment account, modifying scripts, and performing hard-coded scraping/output behavior not clearly reflected in the description. This mismatch is dangerous because users may consent to a benign 'summary' task without understanding that the skill will access browser session state and perform broader local actions. The browser-debugging dependency especially raises the risk of unintended access to authenticated content and local browsing context.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The instructions authorize the agent to install Python and third-party libraries on the user's machine, which exceeds normal data collection/summarization and changes the host environment. Installing software can introduce supply-chain risk, break system stability, or expand persistence/capabilities beyond what the user expected from a job-crawling skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill tells the agent to install Python and third-party libraries without clearly warning the user that this will modify the local system. Lack of disclosure undermines informed consent and can lead to unanticipated software changes, dependency conflicts, or installation of untrusted packages.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill requires the user to log into a BOSS直聘 account and then uses a Chrome remote-debugging session for scraping, but it does not clearly disclose the privacy and session-security implications. A debug-attached process can access authenticated browser context, cookies, and sensitive page content, so failing to warn the user materially increases the risk of account/session exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal