ClawHub
Back to skill

Security audit

Pm Interview Coach

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PM interview coaching skill, but users should know it uses Xiaohongshu and MiniMax-related external tooling despite an overbroad local-processing statement.

Install only if you are comfortable with Xiaohongshu MCP access and MiniMax-VL-01 being used for interview-content research. Redact unnecessary personal details from resumes, verify whether your MCP/model setup is local or hosted, and periodically remove saved images from ~/.openclaw/workspace/xhs_interview_images if you use the helper.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill invokes external network-capable tooling (`xiaohongshu` search/detail calls and a vision model) without declaring that capability or warning the user. Hidden network behavior is risky because users may provide resumes and target roles under the belief that processing is local-only, while the skill’s workflow depends on remote access and could expose sensitive context indirectly.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is interview coaching, but the documented behavior includes scraping Xiaohongshu posts, downloading remote images, and processing feed tokens and post metadata. This mismatch is dangerous because it conceals materially different behavior from users and reviewers, increasing the chance of unauthorized data access, policy violations, and unexpected network activity during seemingly benign coaching sessions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill explicitly claims that no resume or personal information is collected, uploaded, or transmitted and that all processing is local, yet the workflow mandates external Xiaohongshu queries and use of an external AI vision model. False security assurances are especially dangerous here because users are likely to share highly sensitive resume data based on those assurances, creating privacy, compliance, and trust risks.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill’s stated function is to coach based on the user's resume and target role, but it makes third-party social-media scraping a mandatory prerequisite. This scope expansion is risky because it introduces unnecessary external data collection and processing not implied by the original skill description, which can surprise users and broaden the attack and compliance surface.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Requiring external social-platform search and image recognition exceeds the declared core purpose of interview coaching and introduces additional data flows, content ingestion, and model-processing risks. Because the workflow treats these capabilities as mandatory, the skill becomes more dangerous than a normal coaching assistant: it imports untrusted third-party content and may process it with external services without transparency.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script retrieves remote image URLs from external content and automatically downloads and persists them under the user's local workspace. For a PM interview coaching skill, this exceeds the minimum required capability and creates unnecessary exposure to untrusted remote content, disk usage, and unintended local data persistence.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The download function accepts arbitrary URLs from the feed data and writes the response directly to disk with minimal validation. In the context of an interview coaching skill, this unnecessary file-write capability increases risk from malicious or unexpected remote resources, including oversized payloads, persistent clutter, or abuse of network/file access beyond the skill's stated purpose.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad, generic interview-help requests that can easily match ordinary conversation and cause the skill to activate unexpectedly. In this skill’s context, unexpected activation is risky because it may prompt users to share resumes, job targets, and other sensitive career data, and may also initiate external content retrieval without the user clearly intending to use this specific skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises resume ingestion, external Xiaohongshu content retrieval, and image analysis, but does not clearly warn users about what personal data may be processed, transmitted to third-party services, or retained. Because resumes often contain names, contact details, employment history, and other sensitive information, missing privacy and data-handling disclosures can lead to unintended exposure of personal data.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger phrases include broad natural language such as interview practice/help, which can cause the skill to activate in contexts where the user did not intend to invoke a networked scraping workflow. In this skill, unintended activation matters more because activation can lead to collection of resume data and undisclosed external searches, increasing privacy and surprise risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description does not warn users that it will access external networks to search and read third-party interview posts, despite making that behavior mandatory. This omission is dangerous because users may disclose resumes and interview targets without understanding that the session will trigger external retrieval of third-party content and possibly external model processing.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal