ClawHub

IrReplaceable

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only career coaching skill that asks for user-provided workplace context but does not run code, access files, request credentials, or perform hidden actions.

Before using this with real workplace situations, avoid sharing confidential company plans, proprietary project details, private HR matters, or identifiable information about coworkers unless you are comfortable putting that information into the chat. Expect direct career feedback in English.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The description uses broad trigger language such as helping users with career development advice, workplace competitiveness, promotion bottlenecks, and growth plans, which can cause the skill to be invoked for a wide range of generic career queries. This creates routing and prompt-scope risk because the skill may intercept requests outside a narrowly defined specialty, increasing the chance of inappropriate application, inconsistent advice quality, or unintended exposure of sensitive workplace information during over-broad activation.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill name explicitly ends in '-en', and the finding notes English-only behavior without user choice or justification. While not a classic security flaw, this is a trust and safety issue because users may receive analysis in a language they do not fully understand, leading to misinterpretation of career guidance, incorrect disclosures, or exclusion of users who cannot safely validate the output.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal