Security audit

GIS 校招监控

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it overpromises live GIS job monitoring while bundled scripts generate sample or fixed reports and can write local files or create scheduled pushes.

Review before installing. Only enable scheduled pushes if you know how to remove the cron job, use a limited Brave Search API key, and treat included job outputs as examples unless the agent performs a fresh live search. Be aware the scripts may create local report files in fixed locations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 72% confidence
Finding: The skill instructs writing scraped results to local files such as `references/latest-jobs.md`, but no permissions are declared to make that file modification explicit or constrained. Undeclared write behavior reduces transparency and can surprise users or operators, especially when combined with scheduled execution that may repeatedly overwrite or append data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documented behavior claims real-time search, monitoring, and scheduled push delivery, but the analysis indicates the implementation may instead generate fixed or simulated output and write local reports. This mismatch is dangerous because users may make decisions based on stale or fabricated job information, and hidden file-generation behavior expands the effective scope beyond what the description promises.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The skill explicitly says scraped job data will be saved to a local file, but does not warn users that running the skill modifies the local filesystem. While the data itself is not highly sensitive, silent persistence can overwrite prior results, leak browsing-derived content into shared storage, or create unexpected artifacts during automated runs.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The script writes a file to a fixed absolute path under /root without user confirmation or configurability. In an agent environment, silent filesystem writes can create side effects, overwrite expected artifacts, or expose generated content in a privileged workspace path, especially if the script runs with elevated permissions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal