ClawHub

Job Hunt Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a local job-search tracker that stores job application data on the user’s machine and does not show hidden network, credential, or destructive behavior.

Install this if you want a local job application tracker. Expect it to create and update files in ~/.openclaw/job-hunt-tracker/ containing job-search details such as companies, roles, salary ranges, offers, notes, and rejections; review or delete that folder if you no longer want the data stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation text includes the catch-all phrase 'any job hunting task', which is overly broad and can cause the skill to trigger on a wide range of employment-related conversations that do not require persistent file access. Because this skill has read/write permissions and performs automatic local storage, over-triggering increases the chance of collecting or modifying sensitive personal job-search data without clear user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
A bare 'help' trigger is not scoped to job-tracking functionality, so the skill may activate in unrelated contexts whenever a user asks for generic help. In a skill with persistent local storage and write capability, this broad trigger raises the risk of unintended activation and unnecessary access to or creation of user data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill says data stays local, but it does not clearly warn users up front that personal job-search information will be automatically written to local files on first use. This weakens informed consent and can surprise users who may disclose sensitive employment, compensation, referral, interview, or rejection data without realizing it will be persisted.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal