ClawHub

Recruiter Assistant (Shenzhen)

Security checks across malware telemetry and agentic risk

Overview

This recruiting skill has a coherent purpose, but it processes untrusted resume files through unsafe shell commands and gives under-scoped instructions for sharing candidate data.

Install only if you can run it in an isolated or trusted environment and review the scripts first. Do not batch-process resumes with attacker-controlled filenames, and require explicit human review before saving reports or sending candidate summaries to HR.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs sending high-scoring candidate summaries to HR via a messaging tool without any consent, minimization, or disclosure guardrails. Candidate evaluations and resumes commonly contain personal and sensitive employment data, so automatic onward transmission can cause unauthorized disclosure or privacy-policy violations.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The file hard-requires a Shenzhen-specific salary benchmark and output format, which can bias hiring decisions and cause the skill to apply region-specific compensation guidance even when the candidate or role is in another market. In a recruitment assistant, this is a real policy and fairness risk because it can systematically produce misleading or discriminatory assessments if used outside the intended locale.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code builds shell command strings and passes user-influenced file paths into execSync, which invokes a shell. Although the PDF path is wrapped in double quotes, shell metacharacters inside the filename such as command substitution syntax can still be interpreted, enabling command injection if an attacker controls fileName or the staged file path. In a resume-processing workflow that handles untrusted uploads, this context makes the issue more dangerous because attackers can disguise payloads as candidate documents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal