ClawHub

umemployment-skill

Security checks across malware telemetry and agentic risk

Overview

This is mostly a coherent unemployment-support skill, but it needs Review because some layoff advice is too loose about moving employer emails, work materials, and client or colleague contacts.

Review this skill before installing. Its core coaching content is reasonable, but do not follow any advice to forward work emails, export client or colleague contacts, or keep project materials unless you are clearly authorized by company policy, contract, and local law. For crisis or legal guidance, verify local resources instead of relying only on the included static hotline and rights lists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger list is extremely broad and includes common emotional and career-related words across multiple languages, making accidental invocation likely in ordinary conversation. This can cause the skill to activate outside clear unemployment-support contexts, leading to inappropriate interception of user intent, privacy overreach, or unwanted emotionally manipulative responses.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
Forcing replies in a detected native language without user choice can misclassify language preferences and override user agency, especially for multilingual users or users discussing another language. In a sensitive support context, incorrect language assumptions can reduce clarity, create discomfort, and increase the chance of misunderstood advice.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
This rule mandates language-specific responses based on detection logic instead of explicit user preference, repeating the same control issue at the response-guidelines level. Because the skill deals with emotional support and practical advice, a wrong language choice can degrade trust and lead to miscommunication during a vulnerable interaction.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The file lists crisis resources in Chinese alongside US and UK lines, but it does not explain when those numbers are appropriate or ask the user for country/language before presenting them. In a mental-health and unemployment support skill, ambiguous crisis routing can confuse users in distress and delay access to the correct local emergency support, especially for multilingual users who may assume all listed options are universally applicable.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal