ClawHub

AI时代职业规划助手

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent career-planning assistant that collects user-provided career details and generates a local HTML report, with no evidence of hidden persistence, credential access, exfiltration, or destructive behavior.

Install only if you want a structured AI-era career assessment. Treat city and salary as optional, avoid sharing details you would not want included in a generated local HTML report, and remember the risk scores are estimates rather than professional career or compensation advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list contains very broad, common phrases such as '职业规划', '职业方向', and 'career planning', which are likely to appear in ordinary user conversation outside an intentional invocation context. This can cause unintended activation of the skill, leading to inappropriate collection or processing of sensitive career-profile information and confusing or unsafe agent routing behavior.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very broad phrases such as general career-planning and future-job queries, which can cause the skill to activate in routine conversations that do not require this workflow. Over-triggering can lead to unnecessary collection of personal career data and generation of advice in contexts where the user did not explicitly request this specialized analysis.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The usage guidance says to trigger the skill whenever the user asks for broad categories of career advice, without defining exclusion criteria or confirmation steps. This increases the chance of unintended activation, causing the assistant to steer ordinary discussions into a structured profiling flow and request more personal information than necessary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks for city and salary range, which are sensitive personal and compensation details, but it does not present a just-in-time privacy warning or explain why those fields are optional before requesting them. In unintended or casual activations, this can pressure users into disclosing sensitive data without informed consent or clear minimization.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
Mandating Simplified Chinese for all user communication without offering a language choice can exclude users, create misunderstandings, and reduce informed consent around sensitive career and compensation questions. While not a direct exploit vector, it can amplify harm by making privacy expectations and recommendations less clear for non-Chinese-speaking users.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal