Freelancer Auto Bidder

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only Freelancer.com bidding helper whose file logging and search behavior are disclosed and fit its purpose.

Install this only if you want help finding Freelancer.com projects and drafting bids. Review every proposal, price, and account action before submission, and inspect or delete bids.md if you do not want bid history retained in the workspace.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description is broadly phrased around finding freelance jobs and drafting proposals, which can cause it to activate for common job-search, writing, or proposal-related requests even when the user did not intend to use this skill. Over-broad triggering increases the chance of unintended external searching and bid-related actions being suggested or performed in contexts that need clearer user consent and boundaries.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to maintain a `bids.md` log in the workspace, but the description does not warn users that the skill may create or modify local files. This can lead to unexpected workspace changes, accidental persistence of sensitive job or client information, and reduced user awareness about when data is being stored.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal