ClawHub

User Interview & PMF Validation Playbook — JTBD Framework, Customer Discovery, Churn Diagnostics (937 Interviews)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent user-research playbook, but it pushes collection of personal details, recordings, screen shares, and screenshots without enough privacy, retention, or access-control guidance.

Review before installing if your team will use this with real customers. Add your own privacy notice, make recording and screen sharing optional where possible, warn participants to close sensitive tabs and disable notifications, redact screenshots/recordings, store research data only in approved access-controlled systems, and set deletion/retention rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly recommends mandatory recording and screen sharing during interviews but does not pair that guidance with an explicit consent, disclosure, and sensitive-data handling requirement. In practice, this can lead operators to collect personal, confidential, or regulated information without informed consent, creating privacy, legal, and trust risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The bug report template explicitly asks users to submit screenshots or screen recordings, but it does not warn that those artifacts may capture personal data, credentials, customer content, or other sensitive workspace information. In the context of beta testing and user interviews, participants are likely to record real environments and real data, which makes inadvertent over-collection and privacy exposure reasonably likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs collecting a broad set of personal data including name, email, location, company, role, LinkedIn, and social accounts, but provides no guidance on data minimization, lawful basis, consent, storage protection, or retention. In a user research workflow, this can lead teams to over-collect and insecurely handle personal data, increasing privacy, compliance, and misuse risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide says interviews must be screen-recorded and include screen sharing, while only briefly asking for agreement and not warning about accidental exposure of passwords, customer data, internal documents, or other sensitive material visible on the participant's device. This creates a realistic risk of capturing sensitive information beyond the interview scope and storing it in recordings that may later be shared internally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The post-interview templates encourage retaining detailed interview notes, user profiles, behavior data, recordings, and follow-up metadata without any retention limits or secure handling requirements. Centralizing this volume of identifiable research data without governance raises the likelihood of unauthorized access, over-retention, and secondary use beyond what participants reasonably expected.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly collects personally identifiable information such as name, email, company, social profiles, usage history, payment status, and recording/recording-consent metadata, but it provides no privacy notice, retention rule, access control guidance, lawful-basis/consent handling, or minimization instructions. In a user interview skill, this increases the risk that operators will over-collect and improperly store sensitive customer research data and interview recordings, leading to privacy violations, unauthorized disclosure, or regulatory noncompliance.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal