ClawHub

Resume-analyzer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a resume-analysis skill whose main risk is unnecessary exposure of resume personal details, not hidden or destructive behavior.

Use this skill only with resume content you are comfortable sharing with an AI agent. Remove or mask phone numbers, email addresses, home addresses, government identifiers, and any employer-confidential details unless they are necessary for the specific review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is broadly scoped to trigger on generic resume-related requests, which can cause unintended invocation and unnecessary processing of sensitive resume data. In this context, resumes commonly contain PII and employment history, so over-broad activation increases the chance that private data is sent to the skill when the user did not explicitly request deep analysis.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill invites users to submit full resume text for AI analysis but does not warn that resumes often contain highly sensitive personal data such as phone numbers, email addresses, addresses, employer history, and education records. Without a privacy notice or data-minimization guidance, users may disclose more personal information than necessary, creating avoidable privacy and compliance risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The usage notes explicitly encourage providing complete resume content, including personal information, while offering no corresponding caution about limiting, masking, or protecting that data. This makes accidental oversharing more likely and is especially risky because the skill's purpose is to ingest free-form resume text, which routinely contains sensitive PII.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal