ClawHub

HR面试评价助手-Word版

Security checks across malware telemetry and agentic risk

Overview

This HR skill is for candidate evaluation, but it appears to request sensitive personal details that are not clearly needed and lacks privacy or anti-discrimination guardrails.

Review before installing. Use this only in an authorized HR environment, remove or ignore non-job-related personal fields, avoid protected characteristics in hiring recommendations, obtain appropriate consent, and store or export reports only where access and retention are controlled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly solicits and formats sensitive candidate data including age, sex, marital/parental status, hometown, address, family information, and compensation details, but provides no privacy notice, data-minimization guidance, or warning about handling sensitive personal information. In an HR context this is particularly risky because the collected fields may be highly sensitive, regulated, or discriminatory in some jurisdictions, increasing the chance of privacy violations, improper retention, and biased employment decisions.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal