JobTread Agent

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate JobTread API helper, but it gives an agent broad power to change live business data and create webhooks without clear safety boundaries.

Install only if you want an agent to operate JobTread with a real grant key. Use the narrowest grant available, store it with restrictive permissions, confirm every create/update/delete/webhook or signed-document action before it runs, avoid unattended production automations, and review or revoke webhooks and grants regularly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly suggests forwarding webhook events to third-party services like Slack or WhatsApp, but it provides no warning about the sensitivity of customer, job, document, or file-upload metadata that may be transmitted. This can lead to unintended disclosure of business or personal data to external processors, especially if users copy the example directly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal