ClawHub

Huo15 Wvi

Security checks across malware telemetry and agentic risk

Overview

This is a transparent HR questionnaire, but it can produce sensitive employee profiling and attrition-risk reports without privacy, consent, retention, or access-control guidance.

Install only if you are prepared to handle responses as sensitive HR data. Before using it with employees, add an informed-consent notice, explain who will see results, avoid unnecessary identifiers, define retention/deletion rules, and treat the output as conversation support rather than a standalone employment-decision tool.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly collects employee work values, satisfaction, and attrition-risk indicators, which are sensitive employment-related data. Without a privacy notice, consent language, retention limits, or guidance on appropriate handling, the skill may cause users to disclose personal data that is later mishandled, over-shared, or used in employment decisions without sufficient transparency.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The aliases include very broad HR terms such as "价值观调研", "WVI量表", and "留任面谈", which can unintentionally trigger the skill during ordinary workplace conversations. Because this skill then starts collecting employee preference and retention-risk data, accidental invocation can cause unsolicited sensitive profiling and misrouting of HR interactions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly collects sensitive employee values, workplace satisfaction, and 'potential attrition risk' indicators, but provides no privacy notice, consent language, retention limits, audience restrictions, or warning about employment consequences. In an HR context, this can enable covert profiling, inappropriate personnel decisions, and mishandling of sensitive assessment data with legal and ethical implications.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The changelog explicitly broadens activation phrases to generic HR terms like '价值观测评' and '留任面谈', which can plausibly appear in ordinary workplace conversations. In an agent skill, underspecified triggers increase the chance of unintended invocation, causing the tool to engage in sensitive employee assessment or retention-risk analysis outside a clearly intended context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal