ClawHub

Anubis

Security checks across malware telemetry and agentic risk

Overview

This resume helper is not malicious, but it handles sensitive resume data in under-disclosed ways that deserve review before installation.

Install only if you are comfortable with the agent displaying your full resume and job description in the console and potentially using external research to personalize the cover letter. Avoid using this in shared terminals, logged sessions, synced output folders, or with resumes containing information you would not want exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs the agent to 'research the company from JD clues,' which expands behavior beyond transforming user-provided resume and job-description content into active external information gathering. That can cause the agent to access outside sources unexpectedly, introducing privacy, provenance, and prompt-injection risk from untrusted web content not declared in the manifest.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill prints the full resume and full job description to the console, but its description does not clearly warn users that potentially sensitive personal and employment data will be echoed in plaintext. This creates unnecessary exposure in terminal history, logs, screenshots, remote sessions, and shared execution environments.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The skill writes output files to a local directory without a clear upfront warning that it will create files on disk. While the filenames are date-based and not overtly destructive, silent file creation can still surprise users, leak sensitive application materials into synced folders, or overwrite prior outputs depending on execution context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal