ClawHub

Hrflow

Security checks across malware telemetry and agentic risk

Overview

This HR automation skill is purpose-aligned but asks for powerful HR, payroll, and messaging access without enough concrete limits or approval controls for sensitive employee workflows.

Only install this for an authorized HR or People Ops environment using least-privilege test credentials first. Require human approval for payroll, benefits, provisioning, purchasing, and employee-record changes, and verify where logs and employee data are stored before using real employee information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is broadly scoped to 'automate HR workflows' and 'personalize employee experiences across HRIS systems,' which can cause over-activation for generic HR requests without clear limits. In a high-sensitivity HR/payroll context, this increases the chance the agent is invoked for actions involving employee PII, compensation, benefits, or provisioning before the user’s intent, authority, and scope are adequately verified.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill prominently promotes bi-directional HRIS, payroll, document, and communication integrations while handling highly sensitive employee data such as tax IDs, salary, benefits, and banking-related workflows, but it does not require explicit privacy, consent, minimization, or identity/authorization checks before sending data to third-party systems. This is dangerous because unauthorized or excessive transmission of HR data could expose regulated PII, trigger compliance violations, and cause payroll, benefits, or employment harm at scale.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal