ClawHub

Serbia Job Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent job-search helper, but its optional email feature asks users to store a Gmail App Password in a local config file.

Install only if you are comfortable with the skill reading your resume, scraping job sites, and keeping job-search state locally. If you enable email, treat the Gmail App Password as a real secret: do not share or commit the skill folder, restrict file access where possible, and rotate or revoke the app password if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs users to place a Gmail App Password in `workspace/config.json`, which encourages storing a reusable email credential in a local plaintext configuration file under the skill directory. That increases the risk of credential disclosure through local compromise, backups, logs, screenshots, accidental sharing of the skill folder, or other tooling that reads workspace files.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the user to provide a Gmail App Password and store it in workspace/config.json without any warning about plaintext secret storage, access controls, retention, or safer alternatives. That creates a clear credential-handling weakness: anyone with access to the workspace or logs may recover the SMTP credentials and use them to send mail or pivot into the user's email account capabilities.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal