Placed Career Tools

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Placed API helper for career tasks, but users should understand that it stores an API key locally and sends career data to Placed.

Install only if you trust Placed with the career information you submit. Prefer a dedicated API key, avoid sharing unnecessary resume or compensation details, protect or delete ~/.config/placed/credentials when finished, and require confirmation before adding, updating, or deleting job-application records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs writing the user's API key to a plaintext file under ~/.config/placed/credentials for future reuse, without warning about local persistence, file permissions, or shared-machine exposure. This can leak a reusable bearer token to other local users, backups, shell tooling, or malware, enabling unauthorized API use and access to career-related data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill markets resume matching, cover-letter generation, salary analysis, and company research via a remote API, which implies transmission of sensitive personal and employment data to a third-party service. Because it provides no user-facing privacy notice or consent step, users may unknowingly disclose resumes, compensation details, and job-search information to an external processor.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal