ClawHub

Talent Radar

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent resume and job-matching tool, but it supports employment screening with subjective and education-prestige scoring that users should review carefully before relying on it.

Install only if you are comfortable using it as advisory decision support, not as an automated hiring decision maker. Review or disable culture-fit, stability, and school-prestige scoring, obtain consent for resume processing, minimize retained applicant data, and have humans validate any hiring recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The matcher explicitly boosts scores for candidates from a hardcoded list of elite schools, which introduces pedigree-based discrimination unrelated to demonstrated job capability in many roles. In a hiring context, this can systematically bias screening outcomes, create unfair exclusion, and expose operators to legal, compliance, and reputational risk.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code infers soft traits and 'culture match' from free-form resume text using simplistic keyword heuristics and also assumes stability from placeholder logic. In employment screening, this can generate opaque and subjective judgments about personality or fit, leading to biased or non-job-related decisions that are difficult to justify or audit.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly encourages parsing resumes, job descriptions, and batch screening of multiple candidates, all of which commonly contain sensitive personal data such as names, phone numbers, email addresses, employment history, and education records. Presenting these workflows without any privacy warning, consent guidance, retention limits, or handling requirements creates a realistic risk of improper collection, over-processing, or disclosure of personal data by users deploying the skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal