ClawHub

HRClaw JD & Resume Scorecard

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed recruiting helper for turning job descriptions and resumes into scorecards, with privacy-sensitive resume processing that users should handle carefully.

Install only if you are allowed to process the resumes and JDs you provide. Treat outputs as first-pass screening support, review them before making hiring decisions, and avoid pasting candidate details into Feishu, DingTalk, or other tools unless sharing is authorized.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The default prompt and implicit invocation settings allow the skill to activate for multiple loosely defined tasks, including turning JDs into scorecards, scoring attached PDF resumes, extracting text from PDFs, and rendering chat-friendly output. This broad trigger surface can cause the agent to invoke the skill in contexts the user did not clearly intend, increasing the risk of unintended processing of sensitive resume data or incorrect task routing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt explicitly instructs processing uploaded PDF resumes and extracting personally identifiable and employment-related fields such as name, location, education, employer, and skills, but provides no privacy notice, consent check, minimization rule, or handling constraint. In a hiring workflow this creates a real privacy/compliance risk because the system is designed to ingest sensitive candidate data and normalize it into structured output that may be shared onward without clear user awareness or safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal