ClawHub

Hr Resume Evaluation

Security checks across malware telemetry and agentic risk

Overview

This resume-evaluation skill is coherent, but it sends candidate resumes and optional hiring context to an external model service without clear privacy disclosure or redaction controls.

Install only if your organization permits sending resumes and recruiting materials to the configured model provider. Review config/model.yaml, confirm the endpoint and API key policy, disable raw JSON output if unnecessary, and avoid using the reports as automatic hiring or rejection decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the user to run a local Python script that reads resumes and optional JD/company files, writes reports, accesses an API key from the environment, and likely makes outbound model API calls, but the skill declares no permissions. This creates a transparency and governance gap: operators cannot accurately assess or constrain file, shell, environment, and network access before use, which is especially sensitive given the personal data typically contained in resumes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends full resume text plus optional job-description and company documents to an external model via `evaluate_with_model(...)`, but this file provides no disclosure, consent gate, minimization, or redaction step before transmission. In an HR resume-evaluation skill, these inputs are likely to contain sensitive personal data and potentially confidential recruiting materials, so silent transfer to a model service creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function sends resume text, job description text, company text, and configuration data to a configurable external model endpoint. In an HR/resume-evaluation skill, this can include sensitive personal data and potentially regulated employment-related information, so undisclosed third-party transmission creates a real privacy and compliance risk even if the code is not overtly malicious.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal