ClawHub

Hr Toolkit

Security checks across malware telemetry and agentic risk

Overview

The HR template skill mostly matches its purpose, but it also includes a generic helper that quietly stores HR-related inputs and command history in local files.

Review this skill before installing. Use the HR prompt script for templates, avoid entering confidential employee or candidate details into the generic `add` helper, and manually inspect or delete the local `hr-toolkit` data directory if sensitive data was entered. There is no evidence of network exfiltration or destructive behavior, but the local retention behavior needs user awareness.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script silently appends command activity and arguments to a history file under the user's data directory without notifying the user. In an HR-context tool, command arguments may contain employee names, identifiers, or other sensitive workflow data, so undisclosed persistence increases the risk of privacy leakage on shared systems or through backups/log collection.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The add command writes arbitrary user-supplied content directly to disk and echoes it back without warning that the data will be persisted locally. Because the skill is presented as an HR toolkit, users may enter personnel-related information expecting transient processing, making undisclosed local storage more dangerous due to potential exposure of sensitive employee data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal