ClawHub

employee-skills-importer

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent HR skills-import purpose, but it can generate SQL that updates employee records and automatically fuzzy-matches identities without a clear approval or safe review step.

Install only if you are authorized to process this Supabase project's employee data. Before running any generated SQL, review all statements, verify every fuzzy name correction, test in staging or inside a rollback-capable transaction, use least-privileged database access, and keep a backup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly instructs users to execute AI-generated SQL scripts in their Supabase SQL editor without telling them to review the statements first or warning that generated SQL can modify production data incorrectly. In this skill’s context, the output is intended to touch multiple relational tables and derive inserts from uploaded CSV content, so a malformed prompt, parser error, or adversarial CSV could lead to unintended data corruption, duplicate relationships, or broad writes being run by a user who assumes the output is safe.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill processes employee personal data from the employees table and uses fuzzy matching to reinterpret identities, but it does not clearly warn the user about this data handling or the risk of automatic mis-association. In a personnel context, silent identity correction can cause inaccurate employee-skill mappings and privacy/compliance issues, especially if the generated SQL is executed without review.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill mandates automatic fuzzy name correction without user opt-in, which can incorrectly map one employee's skills to another employee if names are similar. Because the output is executable SQL that updates employee_skills records, a bad match can directly alter HR-related data and be difficult to detect after import.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal