ClawHub

Resume Studio

Security checks across malware telemetry and agentic risk

Overview

This resume-building skill handles sensitive personal details and saves resume files locally, but those behaviors fit its stated purpose and no deceptive or destructive behavior was evidenced.

Install only if you are comfortable providing resume details to the agent. Use a private local folder for generated files, avoid including unnecessary sensitive identifiers, and delete drafts you no longer need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly solicits sensitive personal data including name, phone, email, location, education, and employment history, but provides no privacy notice, retention policy, or handling restrictions. In a resume context this is materially sensitive PII, and users may disclose more data than intended without understanding how it will be stored, processed, or exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code saves generated .docx files to an arbitrary output path without any user-facing warning in the skill description. Because the content contains highly sensitive resume data, silent local file creation can leave personal information on shared systems, synced folders, backups, or unexpected locations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The PDF generation path likewise persists sensitive resume contents to disk without any corresponding disclosure. Even though this is expected functionality for a resume tool, the lack of transparency about file creation and persistence increases the chance of inadvertent exposure of personal data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal