ClawHub
Back to skill

Security audit

职场罗盘-用于面试者提前面试和公司背调,以及模拟面试;Your Guide for Interview Prep, Company Research, and Mock Interviews

Security checks across malware telemetry and agentic risk

Overview

This career assistant has a coherent job-search purpose, but it can access sensitive BOSS/Zhipin account sessions and includes account-action commands beyond its advertised read-only use.

Review before installing. Use this only if you are comfortable with a local BOSS/Zhipin integration that installs a Python CLI, reads or imports BOSS session cookies from your browser or environment, stores them locally, and includes employer-contact commands. Prefer QR login over browser-cookie extraction, avoid BOSS_COOKIES unless necessary, do not use greet or batch-greet unless you intentionally want outreach, and delete ~/.config/boss-cli/credential.json when finished or on shared machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands, installs packages, reads local files, and uses networked CLIs, yet it declares no permissions. This creates a transparency and consent failure: users may activate a seemingly benign job-search assistant without realizing it can access local resumes, install software, or interact with external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond passive job assistance into account-linked operations via boss-cli, including login, persistent credential handling, reading job-platform data, and possible outbound actions such as greetings or applications. That mismatch is dangerous because users may provide sensitive career data and authorize platform access without informed consent, enabling privacy loss or unintended actions on their behalf.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code directly reads Boss Zhipin authentication cookies from local browser profiles and leverages platform keychain/keyring access to decrypt them. For a career-assistant skill, silent harvesting of browser session credentials is over-privileged and can expose active authenticated sessions without clear, contemporaneous user consent.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The subprocess fallback repeats the same sensitive browser-cookie harvesting behavior while adding process spawning to bypass operational issues like SQLite locks. This increases the reliability of credential extraction from local profiles beyond what is justified for the stated job-assistant purpose and broadens the attack surface around secret access.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The file explicitly automates a browser to inject authenticated cookies and harvest __zp_stoken__, an anti-bot token, to unlock additional APIs that pure HTTP cannot access. In a job-assistant skill, this materially expands from normal user-facing assistance into evasion of platform access controls, which increases abuse risk, account risk, and likelihood of violating the target service's protections.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The client exposes a side-effecting social action via add_friend(), described as sending greetings or delivering a resume to a Boss. That goes beyond passive job-search/research behavior in the manifest and can trigger real account actions without any built-in confirmation, making accidental or hidden employer contact possible.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This code can access sensitive account-scoped data including user info, resume details, application history, interview data, browsing history, and chat-related contacts. Those data accesses are broader than the manifest's simple job-assistance description, so users may not reasonably expect the scope of collection and processing.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The module-level description explicitly advertises anti-detection behavior, signaling intent to evade platform defenses rather than simply provide normal client reliability. In a job-assistance skill, embedding evasion language and functionality materially increases suspicion that the code is designed to bypass monitoring, rate limits, or anti-automation controls.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The inline comments and logic explicitly implement randomized delays and long pauses 'to mimic human browsing/reading,' which is a classic anti-bot evasion technique. This is dangerous because it helps conceal automation from platform controls while the skill appears to users as benign employment assistance.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This code implements bulk unsolicited outreach and explicitly spaces requests to reduce the chance of platform detection. In the context of a job-assistance skill, automating mass greetings goes beyond user assistance into behavior that can facilitate spam and abuse of a recruiting platform.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The surrounding code performs anti-detection throttling, while the comment text can mislead reviewers about the real purpose of the delay. Mislabeling behavior that reduces detection risk obscures abuse-enabling logic and makes unsafe automation harder to identify during review.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Including browser-cookie3 gives the packaged component the ability to read browser cookies from the local machine, which can expose authenticated session tokens and other sensitive data. In a job-assistance skill, that is more dangerous because users are likely to run the tool on personal systems while logged into employment, email, or social platforms, and the dependency is not clearly justified in this metadata.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The tests clearly validate functionality for loading and extracting authentication cookies for zhipin.com from browser stores and the BOSS_COOKIES environment variable. That behavior is outside the declared scope of a resume/company-research/mock-interview skill and indicates undeclared account-session access capability, which materially increases security risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The tested code path supports reading live authentication cookies from browser storage and environment variables, which is credential-access behavior. Session cookies can grant account access equivalent to login, so implementing this without a clear, justified need and strong safeguards is dangerous.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installer automatically installs `kabi-boss-cli` from the network via `uv`, `pipx`, or `pip` without an explicit confirmation step or a clear pre-install warning that the local environment will be modified. This creates supply-chain and unintended-environment-change risk, especially because it may install executable tooling into the user's account PATH and fetch unpinned packages from external registries.

Vague Triggers

High
Confidence
95% confidence
Finding
The README explicitly states the skill can be activated by broad, loosely related job-seeking language rather than clear, intentional invocation. This creates an overbroad trigger surface that can cause the skill to activate unexpectedly in ordinary conversation and access sensitive resume, company, or job-search workflows without a strong user signal.

Vague Triggers

High
Confidence
97% confidence
Finding
The design principle says to 'trigger first and ask questions later' even when user information is insufficient, which encourages activation on vague semantic matches without clear boundaries. In a skill that processes resumes and performs external job/company queries, this increases the chance of unintended collection or use of sensitive employment-related data.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Several sample trigger phrases are common conversational statements such as wanting to change jobs or feeling nervous about an interview, which are not sufficiently specific to indicate informed consent to invoke the skill. Because the skill can move into data-sensitive workflows, these examples normalize accidental activation and broaden the opportunity for misuse or surprise behavior.

Vague Triggers

High
Confidence
88% confidence
Finding
The activation logic is intentionally broad enough to capture many ordinary job-related statements and automatically enter a workflow that collects resumes, company targets, and JD details. In a skill with local file parsing and external CLI usage, over-broad triggering increases the chance of collecting sensitive personal data or prompting privileged actions without sufficiently explicit user intent.

Vague Triggers

High
Confidence
86% confidence
Finding
The company-research module auto-triggers on vague phrases about whether a company is 'worth it' or 'reliable,' which can silently shift the conversation into a data-gathering and search workflow. Because the skill also ties into external services and job-platform actions, this broad trigger surface raises privacy and consent risks beyond normal conversational assistance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Documenting automatic browser cookie extraction for login without an explicit warning normalizes handling of sensitive session material and may lead users to grant broad access without understanding the privacy and account-security implications. In a job-search skill that can access profile and application-history data, stolen or mishandled cookies could expose personal information or enable unauthorized account access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The environment-variable loading path ingests raw authentication cookies with no user-facing disclosure at the point of use, and elsewhere the module auto-saves credentials to disk. Handling session cookies this way can surprise users, normalize secret sprawl, and increase the chance of credential leakage through environment exposure, shell history, or inherited process environments.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The client automatically loads credential cookies into a persistent HTTP session and uses them to access account-bound resources, but the code provides no user disclosure, consent gating, or scope limitation. In a skill handling resume and employment data, silent use of authenticated session material increases privacy and account-misuse risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The add_friend() method performs a user-affecting action that can contact an employer or submit an application-equivalent greeting with no confirmation or safeguard in this client layer. In a job-seeking context, unintended outreach can expose the user's identity, resume, or job-search activity and cause reputational or employment harm.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad, generic, and map to common conversational requests like '帮我查一下XX公司' or '这家公司怎么样', which increases the chance of accidental or over-eager invocation outside clearly scoped employment-research intent. In an agent environment, this can cause the skill to activate on ambiguous user input and perform unwanted research, data retrieval, or opinion synthesis without sufficient confirmation, especially when company names are underspecified.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.