ClawHub

Career Planner 职业规划顾问

Security checks across malware telemetry and agentic risk

Overview

This is a career-planning skill that asks personal career questions, may do market research, and creates a downloadable report, with no evidence of hidden code or data exfiltration.

Install for career-planning use if you are comfortable sharing career history, salary goals, and constraints. Avoid sharing names, employers, or details you do not want saved, and ask the agent to keep advice in chat or anonymize the report if you do not want a downloadable file with personal information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
97% confidence
Finding
The skill’s trigger criteria are excessively broad and include vague, everyday phrases like 'I don't know what to do' and 'I want a change', plus 'Always use it' language. This can cause unintended invocation in unrelated contexts, pulling users into an unnecessary interview flow and potentially collecting sensitive career, financial, or personal constraint information without clear relevance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to always write a report file to persistent user storage and update it later, but it does not require explicit user consent or clear disclosure before creating or modifying files. In a career-planning context, the report may contain sensitive personal data such as employment status, salary targets, family constraints, and career history, so silent persistence increases privacy and data-handling risk.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The template hard-requires the final report to be in Chinese without checking the user's preferred language or obtaining consent. In a career-planning workflow, this can reduce comprehension, produce inaccessible advice, and mishandle sensitive career guidance for users who are not Chinese speakers, leading to poor decisions or exclusion.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal