ClawHub

HTS全岗位通用AI助理生成器,支持管理、技术、业务、职能等各类岗位,自动生成负责人画像、助理规范及OpenClaw完整配置文件,实现一岗一AI助手。

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only job-description-to-assistant generator with no code execution or credential access, but users should redact sensitive job details before use.

Before installing or using this skill, review and redact job descriptions. Remove names, contact details, compensation, internal staffing plans, confidential reporting lines, proprietary project details, and regulated HR information unless truly needed. Treat generated assistant files as drafts and review their behavior boundaries before reuse.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly instructs users to paste a complete job description into the tool, but provides no warning, minimization guidance, or redaction requirement for sensitive personnel, organizational, or internal business information commonly present in such documents. In this context, the skill is designed for enterprise internal use and to generate persistent assistant configurations, which increases the likelihood that users will submit confidential HR and operational data unnecessarily or in excess of what is needed.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation instruction is extremely broad: users are told to paste a complete job description after a generic phrase, with no constraints on data minimization, approved input types, or confirmation before processing. In an enterprise setting, job descriptions can contain internal org structure, staffing plans, confidential responsibilities, or personal data, so a broad trigger increases the chance of unintended sensitive-data ingestion.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to paste complete job descriptions but provides no warning that these materials may include sensitive business information or personal data. Without a warning or redaction guidance, users may disclose confidential internal documents to the model, creating privacy, confidentiality, and compliance risks.

VirusTotal

45/45 vendors flagged this skill as clean.

View on VirusTotal