ClawHub

CHRO / Chief Human Resources Officer

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only HR advisor skill with sensitive but disclosed HR guidance, so it is acceptable if used with strict human and legal oversight.

Install only if you are comfortable using an AI assistant for HR decision support. Do not grant broad HRIS or personnel-file access by default; provide the minimum necessary data, restrict outputs to need-to-know HR/legal users, and require qualified human review for terminations, compensation changes, immigration/compliance matters, and any attrition or performance-risk scoring.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill proposes attrition risk scoring using sensitive employment data, including engagement survey results, manager 1:1 sentiment, activity patterns, and compensation signals, without any guardrails around consent, minimization, bias review, access control, or lawful-use limitations. In an HR context, these scores can directly influence employment decisions, creating privacy, discrimination, and labor-law exposure if the model is inaccurate, biased, or used opaquely.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file gives legal/compliance guidance for only the US, EU, and UK, but it is framed broadly as operational compliance guidance and includes a sweeping instruction to apply the 'MOST restrictive rule.' In an HR skill, users may rely on this without first identifying the actual employee jurisdiction, creating a real risk of unlawful employment decisions, missed statutory obligations, or false confidence that unsupported regions are covered.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal