ClawHub

UK Employment Law Calculator & Letters

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it needs Review because it gives high-stakes UK HR/legal outputs with broad triggers, weak safeguards, current-law claims that appear stale, and unrelated capability metadata.

Treat this as a drafting and checklist aid only. Confirm the matter is UK-specific, avoid entering unnecessary employee identifiers or sensitive health/immigration details, and verify every rate, deadline, and letter with GOV.UK, ACAS, or a qualified UK employment adviser before acting or sending anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages users to rely on statutory calculations and generated HR letters for real employee-facing decisions, but the only disclaimer says 'it is not legal advice' at the end. That does not clearly warn users to verify outputs, check current law, and obtain human review before using calculations or templates in dismissals, grievances, redundancy, or pay matters, where errors can create legal exposure.

Natural-Language Policy Violations

Low
Confidence
72% confidence
Finding
The skill is branded as 'UK Employment Law' and mentions UK rates, but it does not prominently state up front that it is intended only for UK jurisdiction and should not be used for non-UK employment matters. A user could mistakenly apply UK-specific entitlements or letter templates in another jurisdiction, producing noncompliant advice or documents.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill is user-invocable and its description says to use it when anyone asks about employee rights, HR calculations, or needs a letter template, which is broad enough to trigger on ordinary conversation that merely mentions work, rights, or HR. Over-broad activation can cause the assistant to route unrelated prompts into a legal/HR workflow, increasing the risk of unsolicited legal-style guidance and inappropriate handling of sensitive employment scenarios.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The listing is written broadly enough that it could be invoked for generic HR or employee-rights questions without clear gating that it is UK-only and informational. In a security context this is a prompt-scope vulnerability: users may receive jurisdiction-specific legal/HR outputs or letter templates in situations where the facts, locale, or legal-risk boundaries are unclear, increasing the chance of harmful misapplication.

Natural-Language Policy Violations

Low
Confidence
72% confidence
Finding
The skill is explicitly UK-focused across the entire listing, but the description does not require user opt-in or jurisdiction confirmation before applying UK rules. This can mislead users with non-UK or unspecified contexts into receiving incorrect legal calculations or employment guidance, especially because the skill presents itself as authoritative and 'verified' for 2025/26 rates.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal