ClawHub

Interview Question Gen

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for interview workflows, but it can store and share sensitive candidate data in Feishu with hardcoded targets and an unreviewed helper script.

Install only for the intended WePlay/Feishu hiring workflow. Before using it with real candidates, verify the Feishu account, folder, collaborator, document permissions, and retention expectations, and review or replace the missing `feishu_bot_doc.mjs` helper.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs rendering resume pages into image files under /tmp, creating local copies of highly sensitive candidate data without any notice, retention limit, or cleanup step. This increases the risk of unintended persistence, exposure to other local processes/users, or accidental reuse of leftover files in later tasks.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs creation of Feishu documents containing resume-derived interview questions and sets a default collaborator, which means candidate information is stored remotely and shared automatically without explicit consent or visibility controls. Because resumes and interview materials often contain personal and evaluative data, this can expose sensitive information to broader audiences than intended and create lasting records in shared systems.

Missing User Warnings

High
Confidence
98% confidence
Finding
Appending interview evaluations to an existing Feishu document persists sensitive hiring assessments remotely, potentially in a document already shared with others. Interview evaluations contain especially sensitive judgments and risks, so silently storing them in shared cloud docs can lead to confidentiality breaches, biased data retention, and unauthorized access to hiring decisions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal