ClawHub

Ai-Interview-Skill

Security checks across malware telemetry and agentic risk

Overview

This interview-coaching skill is legitimate, but it saves local profiles and full interview notes that users should understand before using it.

Install only if you are comfortable with interview profiles and full Q&A notes being saved under ~/.claude/ai-interview. Avoid sharing secrets, employer-confidential code, or personal details during sessions, and periodically review or delete those local files if you do not want the history retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs automatic persistent storage of detailed interview notebooks and exact user answers, which exceeds the core need of conducting a coaching session and creates a durable record of potentially sensitive personal or professional information. Because the data is saved locally by default and retained across sessions, disclosure risk increases if the host is shared, backed up, indexed, or later accessed by other tools.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill description presents itself as an interview coach but does not clearly disclose that it will create and manage files under ~/.claude/ai-interview. This is dangerous because users may reveal sensitive interview responses, names, or performance history without realizing the interaction causes persistent local storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The profile design stores usernames, ability scores, and session history on disk without any privacy warning in the visible skill description. Even if intended for personalization, this silent collection and retention of user-provided data violates least surprise and increases privacy risk over time.

Missing User Warnings

High
Confidence
98% confidence
Finding
Automatically saving full session notebooks containing exact answers creates long-term retention of highly specific free-form user content without upfront consent. Verbatim answers may include confidential work examples, personal data, or proprietary technical details, making the persistence materially more sensitive than simple progress tracking.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instruction to log users' exact answers verbatim into persistent session files causes unnecessary accumulation of raw content that may contain sensitive or proprietary information. Long-term exact-text storage magnifies exposure in case of local compromise, accidental sharing, indexing, or reuse by unrelated tools.

Ssd 3

Medium
Confidence
93% confidence
Finding
The profile and session-history mechanism is designed to accumulate user information across repeated sessions without any stated minimization, expiration, or consent controls. Persistent longitudinal tracking of ability and history can become sensitive behavioral data, especially when tied to a username and domain preferences.

Session Persistence

Medium
Category
Rogue Agent
Content
| System Design | Staff Engineer | Architecture, scalability, trade-offs |
| Algorithms/DS | Senior SWE | Problem solving, complexity, optimization |

### Step 1: Load or Create User Profile

User ability profiles are stored in: `~/.claude/ai-interview/`
Confidence
91% confidence
Finding
Create User Profile User ability profiles are stored in: `~/.claude/ai-interview/` - Filename: `{username}_{domain}.md` (e.g., `alice_python.md`, `bob_aiml.md`) - On first session in a domain: creat

Session Persistence

Medium
Category
Rogue Agent
Content
**2. Save interview session notebook** for future review:

Create a detailed session log at: `~/.claude/ai-interview/sessions/{username}_{domain}_{YYYYMMDD}_{HHMMSS}.md`

Session notebook format:
Confidence
95% confidence
Finding
Create a detailed session log at: `~/.claude

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal