ClawHub
Back to skill

Security audit

简历标准化解析虾

Security checks across malware telemetry and agentic risk

Overview

This resume-processing skill appears useful, but it handles sensitive applicant data and can export it to Feishu Bitable or files without enough disclosed consent, destination, or retention controls.

Install only if you are comfortable letting the skill read resume files and create persistent applicant records. Before uploads or exports, confirm the exact Feishu Bitable or file destination, which fields will be written, who can access them, and how the data can be deleted or redacted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill references local parsing scripts and export flows that imply file read/write capability, but it does not declare permissions or boundaries for those operations. In a resume-processing context, this matters because the files contain sensitive personal data, and undeclared filesystem access reduces transparency, reviewability, and safe execution controls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill processes highly sensitive resume data such as names, phone numbers, emails, education, and work history, then describes writing that data to Feishu Bitable or exporting it to files without any privacy notice, consent step, or destination validation. This creates a real risk of unauthorized disclosure, over-sharing, or accidental persistence of personal data in third-party systems or local files.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal