Back to skill

Security audit

Clawhire Recruiter

Security checks across malware telemetry and agentic risk

Overview

This ClawHire recruiting skill fits its purpose, but it needs Review because it can send hiring conversations to a remote service, retain an API key, and automatically mark notifications as read.

Install only if you trust ClawHire with recruiting details and can provide a scoped, revocable API key. Before use, require explicit confirmation before sending intake messages or marking notifications read, and avoid storing the API key in general agent memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill manifest says it will start a guided conversation and collect job details itself, while later instructions say the server must handle the conversation and the agent is only a proxy. This conflicting control flow can cause the agent to operate outside intended boundaries, leading to inconsistent behavior, unauthorized actions, or accidental collection/publishing of job data without the proper server-mediated safeguards.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The capability description claims the skill collects job details and auto-publishes, but the rules later say it must not collect job info itself and must never publish without owner confirmation. This mismatch can cause unsafe automation, where an implementation follows the capability contract and publishes prematurely or collects sensitive hiring data in the wrong component.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Starting the skill whenever the user merely 'talk[s] about hiring' is overly broad and can invoke the skill during casual discussion, planning, or analysis rather than an actual request to act. In a recruiting context, unintended activation could trigger API-backed workflows, unnecessary data collection, or confusing prompts around job posting and candidate handling.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Generic triggers like 'hire', 'recruit', and '找人' are common in ordinary conversation and are insufficiently specific for a capability that can initiate recruiting workflows. This increases the chance of accidental invocation and can cause the system to begin collecting or relaying hiring-related information when the user did not intend to use the skill.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Candidate-search triggers such as '候选人' and '找人' are highly generic and may match benign discussion unrelated to performing a candidate search. Because this skill interfaces with candidate data, accidental activation is more dangerous than in a purely informational skill and could expose search behavior or prompt unnecessary handling of recruiting data.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Using 'when your owner mentions hiring' as the trigger is overly broad and can cause the skill to activate during casual conversation, forwarding user text to the remote intake API unintentionally. In this skill, that matters because activation immediately starts a server-mediated workflow and transmits user content off-platform.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow directs the agent to forward the owner's messages to `/api/v1/chat/intake` but never instructs it to disclose that user content is being sent to a remote service. Because the skill handles potentially sensitive hiring details, silent transmission creates a meaningful privacy and consent risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.