ClawHub

Recruitment Agent

Security checks across malware telemetry and agentic risk

Overview

This recruiting automation skill appears purpose-aligned, but it can monitor candidate messages, store sensitive hiring data, modify records, send outreach, and create calendar events without clearly bounded consent or confirmation controls.

Install only if you are comfortable giving the skill recruiting-system, calendar, and candidate-data authority. Before use, require explicit confirmation before any outreach, calendar creation, database write, or recurring polling task; limit which candidate fields may be stored; avoid copying sensitive attributes into freeform summaries; and make sure monitoring has a visible stop condition.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (14)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad and overlap with normal recruiting-related conversation, which can cause the skill to activate when the user did not intend to run automation. In this skill, unintended invocation is especially risky because the workflows can read Boss直聘 messages, modify candidate records, send invitations, and create calendar events involving sensitive personal data.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The workflow trigger list has ambiguous boundaries, with phrases like interest, decision, update, and scheduling that can reasonably match more than one workflow. In this context, ambiguity increases the chance of executing the wrong workflow, potentially updating talent records, logging decisions, or contacting candidates without clear user authorization.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill handles sensitive candidate and operator data, including chat content, identifiers, recruiting decisions, and calendar scheduling, but it provides no warning or safeguards around transmission, storage, or confirmation. This increases the risk of privacy violations, accidental disclosure, and inappropriate processing of personal data across Boss直聘 and 飞书 systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs creation of a recurring background job that polls candidate messages every 30 minutes and processes their replies, but it does not require an explicit user disclosure, consent check, or clear notice that ongoing message monitoring will continue after the initial action. In a recruitment context, this creates a real privacy and authorization risk because the agent may continue accessing candidate communications and surfacing them in later conversations without a fresh user-triggered action or bounded approval.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger condition is loosely phrased as any time available slots need to be confirmed during interview scheduling, without explicit authorization or confirmation requirements before accessing the user's calendar. In a recruitment agent context, this can cause the agent to read sensitive calendar data more often than the user expects, exposing private schedule details and increasing the chance of unintended data access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow instructs the agent to read calendar entries and create events, but it does not require a user-facing warning or confirmation that private calendar contents may be accessed or modified. Because calendar data contains sensitive personal and business information, and event creation changes the user's state, this omission can lead to privacy violations or unauthorized scheduling actions in normal use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly instructs the agent to pull contact details and other personal data from chat messages and resumes, then persist them into a talent database, but provides no consent check, minimization rule, retention limit, or user-facing warning. In a recruitment context this may be operationally intended, but it still creates a real privacy and compliance risk because the agent is automating collection and storage of sensitive candidate data without guardrails.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad enough that ordinary conversational statements like wanting to follow up, archive, or make a decision about a candidate could invoke a write-capable workflow without an explicit confirmation boundary. In a recruiting skill that updates systems of record, unintended invocation can cause unauthorized or accidental changes to candidate status and hiring documentation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow performs database writes to a decision-record table linked to candidate records, but it does not warn that this changes persisted hiring data or prompt the user to verify the content before saving. In a recruitment context, silent writes can create inaccurate or premature hiring records, privacy issues, and process integrity problems if the wrong person or decision is recorded.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough that ordinary conversational requests like updating notes, tags, or archive status could activate a write-capable workflow without an explicit confirmation boundary. In a recruitment skill that modifies persistent candidate records, accidental invocation can lead to unintended data changes, data integrity issues, and unauthorized updates if the speaker did not intend to perform a database write.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow performs a direct record-upsert against a persistent Lark Base table but does not require the agent to explicitly tell the user that it is about to modify stored candidate data. In this context, silent writes are risky because recruitment records contain sensitive HR information, and users may not realize that a casual request will permanently alter notes, interview summaries, tags, or archive state.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad natural-language commands like “帮我给XXX约个面试” and “约一下XXX”, which can overlap with ordinary conversation and cause the agent to initiate recruiting actions unintentionally. In this skill, a misfire is meaningful because the workflow sends external messages to candidates, writes decision records, and creates recurring monitoring tasks, so accidental activation can lead to unauthorized outreach and privacy/process errors.

Ssd 3

High
Confidence
97% confidence
Finding
These steps direct the agent to extract private information from chats and resumes—including contact information, employment history, education, and candidate preferences—and store it in structured records. This is dangerous because it centralizes highly sensitive personal data from multiple sources, increasing the blast radius of unauthorized access, over-collection, and downstream misuse.

Ssd 3

High
Confidence
98% confidence
Finding
The summary template tells the agent to reproduce sensitive personal details, including direct contact information, age, gender, education, work history, and status, in a markdown field. Duplicating this data into freeform text is particularly risky because it bypasses field-level controls, makes over-sharing easier, and can expose protected or unnecessary attributes to broader audiences and systems.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal