ClawHub

Job Search Report

Security checks across malware telemetry and agentic risk

Overview

This skill clearly does what it says: it reads job-search-related Gmail messages to create a report, with no hidden code or automatic destructive behavior found.

Install only if you want an agent to read job-search-related Gmail messages through your authenticated gog setup. Before running it, confirm the Gmail account and date range, review any quoted email text or recruiter contact details, and avoid saving or sharing the report unless you are comfortable storing that private job-search information on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill analyzes highly sensitive Gmail content, including application history, recruiter messages, and potentially personal identifiers, but does not instruct the agent to obtain explicit informed consent or warn the user about the privacy implications. This creates a meaningful privacy risk because the skill may aggregate and expose more job-search data than the user expects from a simple summary request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Saving the generated report to a local markdown file can persist sensitive job-search data, recruiter contact details, timelines, and message excerpts onto disk without any built-in warning about local storage risks. If the endpoint is shared, backed up, synced, or later accessed by other software, the user’s private employment search information could be unintentionally disclosed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal