ClawHub

Career Success Planner

Security checks across malware telemetry and agentic risk

Overview

This skill appears to provide the advertised career-planning API, but users should treat the submitted workplace profile data as sensitive.

Use this only with workplace data you are allowed to share with the provider. Avoid unnecessary identifiers such as manager names, user IDs, confidential internal projects, or HR records unless your organization has approved the provider's privacy, retention, and access practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly collects detailed professional and workplace assessment data, including role title, department, manager name, team size, work history, skills, and career goals, but provides no privacy notice, data minimization guidance, retention policy, or handling constraints. In an enterprise onboarding context this can expose sensitive employee and organizational information to external processing without informed consent or clear safeguards, increasing privacy, compliance, and insider-reconnaissance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The endpoint accepts assessmentData, sessionId, timestamp, and optional userId, all of which are sent to a backend service, but the API description does not disclose that potentially sensitive professional assessment and session-linked data leaves the local agent context. This creates a transparency and privacy risk because users may provide onboarding or career information without informed consent about external transmission.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal