ClawHub

Match jobs through resumes

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it claims: parse a user-provided resume, search public job/company sources, and generate reports, with privacy cautions around resume data.

Install only if you are comfortable letting the agent process your resume and use job-relevant details such as role goals and skills in web searches. Avoid sharing unnecessary personal details, run it in a controlled workspace, review the generated JSON/report files, and delete sensitive outputs after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill processes highly sensitive personal data from resumes and then performs broad online searches and company background checks, but it provides no explicit notice about what data may be transmitted to external services or search tools. Without clear consent and minimization, users may unknowingly expose PII, employment history, contact details, and other sensitive profile data to third parties, which is especially risky in a job-seeking context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes parsed resume data, including raw extracted text that may contain highly sensitive personal information, to a local JSON file by default without any consent prompt, warning, retention control, or access restriction. In the context of a resume-processing skill, this increases privacy risk because users are likely uploading documents containing PII such as names, phone numbers, email addresses, addresses, employment history, and education records.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal