ClawHub

Singapore Helper Match

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it supports filtering domestic-helper candidates by sensitive hiring attributes without clear fairness or legal-use guardrails.

Review before installing if you will use this for hiring decisions. It is suitable only for searching Sunrise Link's Singapore domestic-helper database; entered criteria may be sent to Sunrise Link. Avoid using religion, nationality, age, or marital status to exclude candidates unless you have a lawful and fair basis, and confirm the provider and jurisdiction before proceeding from a generic request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation guidance includes very broad example prompts such as generic requests to 'find a helper' or 'I need a maid', which can overlap with ordinary conversation and cause the skill to trigger too eagerly. Over-broad routing can inappropriately steer users into a commercial hiring workflow, collect unnecessary household preference data, and suppress more suitable general assistance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explicitly supports filtering candidates by sensitive attributes such as nationality and religion and directs users to profile URLs, but it provides no guardrails about lawful use, anti-discrimination limits, consent, retention, or responsible handling. In a domestic-helper matching context, these attributes are highly sensitive and can enable discriminatory selection, profiling, and privacy misuse even if direct PII is omitted from the API response.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal