ClawHub

雄韬识人辨人 - 老板阅人笔记 The Ren Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it should be reviewed because it applies face-reading and covert observation to hiring, layoffs, customers, and partners without strong safeguards.

Install only if you want a Chinese-language business face-reading framework and understand it is not evidence-based HR or risk tooling. Do not use it as a basis for hiring, firing, promotion, credit, partnership, or customer-risk decisions, and do not collect photos or observe people covertly without clear consent and applicable legal review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This content instructs employers to infer employee risk, loyalty, and growth potential from facial appearance and other physical cues, which are unreliable proxies for job performance and can drive discriminatory decision-making. In an employment context, quasi-diagnostic judgments based on physiognomy are especially dangerous because they may influence hiring, promotion, and retention decisions affecting protected individuals without valid evidence.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file explicitly recommends using 'face-reading' signals to help decide whom to lay off, including statements like '绩效低+面相差=没有改善可能,优先裁', which elevates pseudoscientific physical-appearance judgments into adverse employment action. This creates acute legal, ethical, and safety risk because termination decisions based on appearance can institutionalize discrimination and deny employees fair, evidence-based review.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger conditions are broad enough to activate on ordinary business, hiring, negotiation, or psychology-related queries, causing the skill to intervene in high-stakes decisions without clear user intent to request physiognomy-based judgment. In context, this is more dangerous because the skill is explicitly designed to influence employment, partnership, customer, and adversarial decisions using speculative face/body-language inferences, which can amplify bias and unreliable profiling.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill presents physiognomy as commercially actionable analysis without a prominent warning that such methods are unreliable, subjective, and inappropriate as a primary basis for decisions about hiring, firing, partnerships, or conflict strategy. This is especially risky here because the file repeatedly instructs the model to turn appearance and behavioral cues into concrete business decisions, increasing the chance of discriminatory or harmful outcomes from pseudoscientific inference.

Missing User Warnings

High
Confidence
99% confidence
Finding
This is a true vulnerability. The handbook explicitly recommends making hiring and management decisions from physiognomy, facial appearance, and body-language heuristics that are unreliable, bias-prone, and closely tied to protected or immutable traits, creating a strong risk of discriminatory screening and unfair employment decisions. In this skill context, the danger is increased because the content is positioned as a business decision system for bosses, recruiters, and executives, which encourages operational use rather than abstract discussion.

Missing User Warnings

High
Confidence
97% confidence
Finding
This is a true vulnerability. The file advises evaluators to observe candidates while they believe they are not being assessed, encouraging covert surveillance-like screening without notice and then using those observations for employment decisions. In a hiring skill, this is especially dangerous because it compounds the core physiognomy problem with privacy, transparency, and fairness concerns, and can institutionalize hidden, non-job-related evaluation practices.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The file is written entirely in Chinese and frames the skill around Chinese business and face-reading concepts without offering any language fallback or stating a justified locale restriction. This can exclude users, mis-handle multilingual requests, and cause the agent to respond in an unintended language or cultural frame, which is especially risky in a decision-support skill that influences hiring, partnership, and customer judgments.

Missing User Warnings

High
Confidence
96% confidence
Finding
The template explicitly recommends taking a 'natural state' photo during interviews 'without disturbing' the subject, but does not require informed consent, legal basis, retention limits, or any privacy warning. In a hiring context this enables covert collection of biometric-adjacent personal data and creates compliance, discrimination, and trust risks, especially when the photo is later used to assess '面相' or infer character traits.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal