ClawHub
Back to skill

Security audit

Labor Contract Review

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only labor contract review skill whose sensitive inputs are relevant to its purpose, but users should redact unnecessary personal details before use.

Use this for clause-level labor contract review, not as a substitute for legal advice. Before uploading or pasting a contract, redact personal identifiers and irrelevant confidential details where possible, especially ID numbers, addresses, signatures, bank details, phone numbers, and email addresses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description uses very broad trigger language covering many labor-contract-related situations without clear routing boundaries, which can cause the agent to invoke this skill in ambiguous contexts. That increases the chance of over-collection of sensitive documents or the delivery of legal-style guidance when a narrower, safer workflow or a general assistant response would be more appropriate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs collection of highly sensitive personal and employment data, including names, ID numbers, addresses, salary, and contract terms, but provides no privacy warning, minimization guidance, or redaction instruction at the collection step. In a contract-review context this is especially risky because users may upload full contracts containing government identifiers and other confidential data that are not always necessary for clause analysis.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal