Back to skill

Security audit

Placed Resume Builder

Security checks across malware telemetry and agentic risk

Overview

This skill coherently manages Placed resumes, but users should understand it sends resume data to Placed and stores a local API key file.

Install only if you trust Placed with your resume data. Use a revocable API key, review resume updates and visibility changes before submission, and protect or delete ~/.config/placed/credentials if you do not want the key to persist locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to source credentials from a local file and environment, then later persist a user-provided API key to disk. Accessing and storing secrets is security-sensitive behavior, and the manifest does not clearly disclose this capability or constrain when it should occur, creating risk of unnecessary secret handling and expansion of access beyond the immediate task.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells the agent to save the API key in plaintext under ~/.config/placed/credentials without warning the user that the secret will persist across sessions. Plaintext credential persistence increases the chance of later disclosure through other tools, backups, shell access, or unrelated skills reading files in the home directory.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill is designed to transmit resume contents and identifiers to a remote service, but the description does not clearly warn users that potentially sensitive personal and employment data will leave the local environment. Resumes often contain PII, career history, contact details, and links, so omission of this disclosure undermines informed consent.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.