ClawHub

简历-JD 5维度匹配度评分引擎

Security checks across malware telemetry and agentic risk

Overview

This resume scoring skill is coherent and purpose-aligned, with expected handling of resume/JD text and local report generation but some privacy and file-output caveats users should understand.

Install only if you are comfortable letting the agent read the resume and JD content you provide and write local scoring reports. For sensitive resumes, provide the JD text yourself instead of asking the skill to search externally, and choose an output location that is not shared unintentionally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough to match ordinary resume-help requests, which can cause the skill to activate when the user did not intend a scoring workflow. Because the skill can read uploaded resumes, search for JDs, and write output files, unintended activation increases privacy exposure and may perform actions the user did not explicitly request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill writes HTML and Markdown reports into the user's workspace but does not clearly warn users beforehand. Silent file creation can surprise users, clutter workspaces, and in shared environments may expose sensitive resume evaluation data to unintended parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill processes highly sensitive personal resume content and may search or fetch job descriptions, but it does not provide an explicit privacy warning. Users may unknowingly expose personal data or have their documents used in external retrieval workflows they did not expect.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal