ClawHub
Back to skill

Security audit

JobGPT

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent JobGPT integration, but it can submit real job applications and send sensitive career data through an external service without clear auto-apply confirmation safeguards.

Install only if you trust JobGPT and its MCP server with resume, profile, salary, application, and outreach data. Before using auto-apply, set narrow criteria and daily limits, review the jobs and resume content, and require explicit approval for each application or batch.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly promotes 'auto-apply' and direct application submission on the user's behalf without any warning, confirmation requirement, or discussion of safeguards. In a job-application skill, this is risky because users may trigger real-world submissions containing personal data, inaccurate information, or unwanted applications, creating privacy, reputational, and compliance issues.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description is broad enough to trigger on many ordinary job-seeking requests, which can cause the skill to activate in contexts where the user did not specifically ask for automation or third-party actions. Because this skill can search, import jobs, generate resumes, and initiate applications, overbroad invocation increases the chance of unintended access to personal data or unintended external actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill prominently advertises automatic job application capability but does not provide a comparably prominent warning that it may submit real applications to external employers on the user's behalf. In this context, silent or insufficiently warned automation is more dangerous because actions can affect a user's professional reputation, disclose personal resume/profile data, and create irreversible submissions.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.