ClawHub

training-course-designer

Security checks across malware telemetry and agentic risk

Overview

This is a document-only training course template skill with normal HR/L&D privacy caveats but no hidden execution, credential use, or external access.

Treat generated materials as drafts. Before using them with employees, review for factual accuracy, legal/compliance fit, confidentiality, accessibility, privacy notices, approved survey platforms, and explicit consent for testimonials or any shared personal information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The one-click generation flow presents a concrete multi-file output structure and implies automatic creation of many documents without an explicit safeguard against overwriting existing user files or directories. In an agentic environment with filesystem write capability, this can lead to unintended data loss or clobbering of user content if the package is generated into an existing path.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide instructs users to generate evaluation and follow-up surveys that may collect participant reactions, learning results, and 30-day application data, but it provides no warning about collecting personal or sensitive employee information. In a corporate L&D context, feedback can easily include identifiable performance data, opinions, or other HR-related information, creating privacy, retention, and misuse risks if users deploy the materials without safeguards.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The guide recommends using online survey tools such as Google Forms or SurveyMonkey for evaluation workflows without warning that participant responses may be shared with external processors or stored outside approved enterprise environments. In corporate training settings, this can expose employee-identifiable feedback and assessment data to third parties, which increases data-sharing and compliance risk.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The templates include multiple free-text prompts about workplace challenges, barriers, manager support, and observed impact without guidance to avoid sharing sensitive personal, HR, or confidential business information. In a corporate L&D context, users may disclose personnel issues, performance concerns, or internal operational details that are unnecessary for training evaluation and could create privacy or confidentiality risk if collected or retained.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The template encourages collecting or sharing participant assessment results and success stories without prompting for consent, data minimization, or guidance on appropriate disclosure. In a corporate L&D context, these details can reveal performance, development gaps, or personally attributable information that should only be shared with clear permission and defined use.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The welcome activity asks participants to share their location and biggest challenge in a group setting without any caution about voluntary disclosure or sensitivity. While common in training, this can pressure participants to reveal personal or work-related information that may be unnecessary, especially in regulated, sensitive, or internal corporate environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Inviting participants to reply with success stories and stating they may be featured in a newsletter creates a clear disclosure risk if explicit consent and publication terms are not obtained first. In corporate training, success stories may contain identifiable employee information, team performance details, or internal business context, making unintended publication more harmful than a generic feedback request.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal