ClawHub

HR助手

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent local HR assistant, but it can change sensitive employee records without the confirmation safeguards its own instructions describe.

Review before installing. Use only on a protected workstation and restricted folder, back up spreadsheets first, avoid shared or synced export locations, and treat Feishu/cloud storage prompts as unsupported unless the publisher updates the implementation and disclosures. Add or enforce confirmation for delete, batch update, reset, and export actions before using real HR or payroll data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The onboarding prompt introduces Feishu cloud storage as a supported option even though the skill metadata describes a local Excel/JSON-only assistant and only grants filesystem read/write permissions. This creates a dangerous capability mismatch: users may disclose sensitive HR and payroll data under false assumptions about supported storage backends, and the agent may be pushed into undefined or insecure behavior when handling unsupported cloud workflows.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Claiming Feishu cloud collaboration support suggests networked data sharing features that are not justified by the stated local-file HR assistant design. In an HR context, this is risky because it can mislead users into providing highly sensitive employee and payroll data for a collaboration flow the skill is not actually equipped or authorized to handle securely.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The module explicitly stores full conversation histories under the local data directory, which can capture sensitive HR and payroll discussions containing personal data, compensation details, or disciplinary information. In an HR assistant context, retaining entire transcripts expands the amount of sensitive data at rest beyond what is necessary for core roster/payroll operations, increasing privacy and breach impact if local files are exposed or mishandled.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that data is stored locally, but it does not clearly warn users that highly sensitive HR data such as employee records, payroll, and conversation history will be persistently written to disk. In an HR context, this omission matters because operators may unknowingly place regulated personal and compensation data on shared or insufficiently protected endpoints, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README describes import/export and record-modifying features without clearly warning that these actions can overwrite, delete, or corrupt HR and payroll data. Because this skill manages sensitive employee and compensation information, insufficient user warning around destructive or bulk operations raises the chance of accidental data loss or unauthorized modification during routine use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that conversation history is persistently stored under `.hr-data/conversations/`, but it does not prominently warn users about the privacy implications. In an HR/payroll context, conversations may contain highly sensitive personal and compensation data, so silent retention increases the risk of local data exposure and over-collection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The prompt solicits employee roster and payroll files, which contain highly sensitive personal and compensation data, without any explicit privacy, confidentiality, minimization, or handling notice. In an HR skill, omission of these warnings materially increases the chance that users will upload unnecessary or overbroad sensitive data without understanding the exposure and retention implications.

Vague Triggers

Medium
Confidence
89% confidence
Finding
这些员工查询意图的触发词包含“查看”“工号”“的信息”“的详情”等高频日常表达,过于泛化,容易在普通对话中被误识别为读取员工信息操作。在该技能具备本地读写权限且处理的是HR敏感数据的场景下,误路由可能导致未经明确确认的人事信息查询,造成隐私泄露或越权访问。

Vague Triggers

Medium
Confidence
84% confidence
Finding
初始化和绑定相关模式如“初始化”“设置数据”“上传表格”等范围过宽,可能把普通咨询、帮助请求或非绑定语境误导向配置变更流程。由于该技能会绑定本地文件并保存配置,误触发可能导致错误文件被纳入处理范围、覆盖现有配置或引导执行不必要的本地数据操作。

Vague Triggers

Medium
Confidence
91% confidence
Finding
“批量更新”“批量操作”等表达语义模糊,但对应的是会修改多名员工状态的高风险写操作。若被普通管理对话误匹配,可能触发批量转正、批量离职等大范围数据变更,在HR场景下会直接影响员工状态、薪资流程和审计记录。

Missing User Warnings

Medium
Confidence
87% confidence
Finding
技能声明会本地持久化配置、对话历史和审计日志,但未在初始化前提供清晰、显式的用户告知与同意提示。对于包含员工身份、联系方式、薪资和操作记录的HR数据,这会造成用户对数据留存范围和时长缺乏知情,带来隐私合规和敏感信息暴露风险。

Missing User Warnings

Medium
Confidence
85% confidence
Finding
删除、重置、导出等操作会影响数据完整性或导致敏感人事数据外流,但描述中未体现风险警示、确认步骤或最小化导出限制。结合本地文件读写权限,这类操作一旦被误触发或被社工诱导,可能造成员工记录丢失、配置破坏或敏感报表泄露。

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The export function writes sensitive HR data, including names, departments, phone numbers, and salary, directly to disk without confirmation, destination choice, minimization, or warning. In an HR skill with filesystem write permission, a casual or ambiguous request can create additional sensitive copies on disk, increasing the risk of unintended disclosure and persistence.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The binding flow converts paths to absolute paths and stores the full filesystem path in audit logs. While this is not direct exfiltration by itself, logging full local paths can expose workstation usernames, directory layouts, project names, or other environment details to anyone who can read audit storage.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The attendance-binding path likewise records absolute local file paths in audit storage without user disclosure or redaction. In an HR environment, these paths may reveal sensitive directory structure and user-specific information, creating unnecessary metadata exposure beyond the core business function.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal