ClawHub
Back to skill

Security audit

job-hunter-whatsapp

Security checks across malware telemetry and agentic risk

Overview

This job-search skill is purpose-aligned, but it handles sensitive resume, job-search, API key, and messaging data that should be kept private.

Install only in a private workspace. Keep the resume, config, tracker, and API key files out of Git and shared folders, review tailored resumes before using them, and enable cron or WhatsApp/messaging updates only after confirming the schedule, recipient, and fields included.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger list is broad enough that normal conversation about jobs, applying, or status updates could invoke the skill unexpectedly. Because this skill handles sensitive resume data, job history, and external API/messaging actions, accidental invocation increases the chance of unintended data access, file creation, or outbound job-search operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs storing highly sensitive data including resume contents, employment history, target roles, salary preferences, tracked applications, and API credentials in local files without any explicit privacy notice, retention policy, access controls, or secret-handling safeguards beyond a brief gitignore comment. If the workspace is shared, synced, logged, or later accessed by other tools, this creates a meaningful confidentiality risk and possible credential exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The automation section describes sending job-search summaries to a messaging channel, potentially exposing employers, applications, locations, salary details, and match assessments to an external service without an explicit warning or consent checkpoint. Since messaging platforms may involve third-party processing, device notifications, backups, and misdelivery risk, this can leak sensitive career-search activity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal