ClawHub

CareerClaw

Security checks across malware telemetry and agentic risk

Overview

CareerClaw mostly matches its job-search purpose, but it under-discloses sensitive resume/key handling and includes debug paths that can expose a license key.

Review before installing. Use it only if you are comfortable storing resume/profile data in plaintext under .careerclaw and, for Pro, sending derived candidate/job signals to OpenAI or Anthropic and validating a license with Gumroad. Do not run the debug scripts with real keys until the raw key logging is removed, and look for an updated permissions section that explicitly covers resume.txt, profile.json, and .license_cache.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Scope Creep

Medium
Confidence
95% confidence
Finding
The setup flow instructs the agent to create `.careerclaw`, extract a resume, and write `.careerclaw/resume.txt`, but the permissions section later describes write access only for `tracking.json` and `runs.jsonl`. This mismatch weakens transparency and guardrail enforcement because the skill writes user-sensitive career data beyond what it claims.

Scope Creep

Medium
Confidence
97% confidence
Finding
The skill explicitly tells the agent to generate and write `.careerclaw/profile.json`, which contains structured personal information derived from the user's resume, but this file is omitted from the declared write permissions. Omitting a sensitive persisted file from permissions is dangerous because it hides storage of personal data and can bypass user expectations or automated review.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The code comments explicitly assure that raw resume text is never forwarded to LLM processing, yet the CLI passes full resume text into buildResumeIntelligence for 'Pro enhancement'. If downstream logic uses that pipeline for remote or LLM-backed enrichment, users may unknowingly disclose sensitive personal data under a false privacy guarantee.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Trigger phrases such as 'job search', 'find jobs', and 'draft outreach' are broad enough to match ordinary conversation and may cause the skill to activate when the user did not intend to invoke it. In this skill, unintended activation can lead to filesystem checks, package installation attempts, CLI execution, and external job-site queries, making broad triggers more than a usability issue.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This debug script reads profile and resume-derived data, embeds it into an LLM prompt, and transmits that content to external OpenAI or Anthropic APIs. Even though this appears intended for debugging, it can expose sensitive personal and career data without any explicit consent flow, redaction, or warning at the point of use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script prints the raw PRO_KEY value directly to stdout, which can expose a license key in terminal scrollback, CI logs, shell history captures, or shared debugging transcripts. Even though this is a debug utility, secrets should not be emitted in plaintext because anyone with log access could reuse or disclose the key.

External Transmission

Medium
Category
Data Exfiltration
Content
let openAITransport: OpenAITransport | null = null;

  if (provider === "anthropic") {
    res = await fetch("https://api.anthropic.com/v1/messages", {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
Confidence
88% confidence
Finding
fetch("https://api.anthropic.com/v1/messages", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
openAITransport = defaultOpenAITransport(model);

    if (openAITransport === "responses") {
      res = await fetch("https://api.openai.com/v1/responses", {
        method: "POST",
        headers: {
          "Content-Type": "application/json",
Confidence
88% confidence
Finding
fetch("https://api.openai.com/v1/responses", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
signal: AbortSignal.timeout(HTTP_TIMEOUT_MS),
      });
    } else {
      res = await fetch("https://api.openai.com/v1/chat/completions", {
        method: "POST",
        headers: {
          "Content-Type": "application/json",
Confidence
88% confidence
Finding
fetch("https://api.openai.com/v1/chat/completions", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
let openAITransport: OpenAITransport | null = null;

  if (provider === "anthropic") {
    res = await fetch("https://api.anthropic.com/v1/messages", {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
Confidence
88% confidence
Finding
https://api.anthropic.com/

External Transmission

Medium
Category
Data Exfiltration
Content
openAITransport = defaultOpenAITransport(model);

    if (openAITransport === "responses") {
      res = await fetch("https://api.openai.com/v1/responses", {
        method: "POST",
        headers: {
          "Content-Type": "application/json",
Confidence
88% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
signal: AbortSignal.timeout(HTTP_TIMEOUT_MS),
      });
    } else {
      res = await fetch("https://api.openai.com/v1/chat/completions", {
        method: "POST",
        headers: {
          "Content-Type": "application/json",
Confidence
88% confidence
Finding
https://api.openai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal