Back to skill

Security audit

BOSS Recruit Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it automates a live recruiting account, handles candidate resumes, syncs them to Feishu, uses browser session cookies, and includes explicit anti-detection behavior.

Install only if you are authorized to automate this BOSS account and transfer candidate data to Feishu. Review platform terms and privacy obligations first, avoid --live unless you explicitly intend to send messages, protect or remove local files under ~/.opencli/boss-recruit, rotate any Feishu token used with --token, and prefer a version that removes anti-detection guidance, plaintext token persistence, and cookie-backed download behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares no permissions while explicitly describing capabilities that read local configuration/state files and perform network operations against BOSS直聘 and Feishu. This creates a transparency and governance gap: operators cannot accurately assess what the skill can access or transmit, increasing the risk of unintended data exposure involving resumes and candidate PII.

Tp4

High
Category
MCP Tool Poisoning
Confidence
68% confidence
Finding
The documented behavior and the analyzer-observed behavior diverge in security-relevant ways, especially around local file writes for downloaded resumes. When a skill handles candidate resumes, undocumented storage behavior is dangerous because it can lead to unreviewed retention of sensitive personal data and bypass user expectations or compliance controls.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The disclaimer states the tool will not proactively upload credentials or candidate data to third-party servers, yet the skill’s documented behavior explicitly includes syncing candidate resumes and candidate information to Feishu, which is a third-party service. This creates a misleading trust boundary: users may underestimate data-transfer and privacy/compliance risks, especially because resumes contain sensitive personal information.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
In the token-backed path, the code stores `opts.token` as `personal_base_token` inside `~/.opencli/boss-recruit/target.json`. Persisting a live authorization credential to disk is not required merely to resolve and remember the target table, and if the local file is read by another process, user, backup system, or malware, the token can be reused to access or modify the connected Feishu base.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The file explicitly instructs the agent to disguise automated requests with full browser fingerprint headers and cookie-bearing download flows to avoid platform defenses. In the context of a recruiting automation skill already framed around anti-risk-control and human-mimicking behavior, this goes beyond normal interoperability and facilitates stealthy circumvention of service protections and detection controls.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The README states the skill can be triggered by a broad natural-language phrase like “处理一下 Boss 新招呼,” which lacks explicit safety constraints or confirmation gates. In context, this skill performs sensitive browser automation against a real recruitment platform, processes candidate personal data, syncs records to Feishu, and can send outbound messages when invoked with live mode, so broad activation increases the chance of unintended execution of impactful actions.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The activation text uses broad natural-language triggers that could cause the skill to be invoked in contexts broader than intended. Because this skill can process resumes, send messages, and sync candidate data, overbroad invocation raises the chance of accidental execution on sensitive workflows without sufficiently explicit user intent.

Natural-Language Policy Violations

High
Confidence
96% confidence
Finding
The skill repeatedly promotes anti-detection, anti-risk-control, and account-avoidance behavior intended to simulate humans and evade platform protections. In context, this is more dangerous because the automation targets a third-party recruiting platform, handles external communications, and appears designed to bypass safeguards such as captcha/rate limits rather than respect them.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code explicitly retrieves authenticated cookies from the browser, including HttpOnly session material, converts them into a raw Cookie header, and reuses them in a Node-side HTTP download to another subdomain. This bypasses normal browser security boundaries, removes user visibility/consent for the authenticated file transfer, and increases the blast radius if the download helper, destination, logs, or surrounding code are later abused to exfiltrate protected resumes or session-linked content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code serializes and transmits substantial candidate personal data to Feishu, including name, gender, age, education, work history, and job intent, without any consent gate, disclosure mechanism, or policy enforcement in this component. In a recruiting automation skill, this creates a real privacy and compliance risk because sensitive applicant data is automatically replicated to another system and may be retained or shared beyond the candidate’s expectations.

Missing User Warnings

High
Confidence
95% confidence
Finding
The attachment upload path reads a local resume PDF and sends the full file to Feishu automatically, again without any consent check, warning, classification, or content filtering in this code. Resume attachments often contain highly sensitive PII such as phone numbers, email addresses, government IDs, and detailed employment history, so automatic exfiltration to a third-party platform materially increases privacy, retention, and unauthorized-access risk.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The comments explicitly describe an anti-detection layer designed to evade platform risk controls by making automation appear human, including randomized delays, human-like clicking/typing, and circuit breakers for captcha detection. In the context of a recruitment automation skill for Boss直聘, this is not neutral UI robustness guidance; it is operational guidance for bypassing platform anti-abuse mechanisms.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The code comments justify gradual native typing specifically because instant fill 'looks like a script,' which directly indicates intent to disguise automation from detection systems. That is a classic evasion pattern: the implementation choice is driven by avoiding bot detection rather than legitimate functional necessity.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
`saveTarget()` writes sensitive operational configuration to a predictable path under the user's home directory without any consent flow, disclosure, or permission hardening. In this skill context, the file can contain recruitment workflow metadata and, in the token mode, a reusable Feishu credential, increasing the blast radius of local compromise or accidental exposure via backups, sync tools, or shared accounts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code persistently stores per-candidate recruitment processing data to a local JSON file under the user's home directory without any access control, minimization, encryption, retention policy, or user-notice mechanism in the implementation. In the context of a recruiting assistant that handles candidate identities and workflow state, local plaintext persistence can expose personal data and hiring activity to other local users, backups, malware, or accidental disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown normalizes stealthy request spoofing without warning the user that such behavior may violate platform rules, create privacy issues, or risk account suspension. Because the surrounding document is devoted to anti-detection tactics, the omission is not harmless documentation debt; it encourages covert operation while concealing the operational and compliance risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `--show` path prints the first 8 characters of the authorization token to stdout. Even partial credential disclosure can aid token identification, correlation across logs/screenshots, or social engineering, especially because setup output may be captured in terminal history, CI logs, or support screenshots. In this recruiting skill, which handles external-service credentials and candidate data, exposing any part of an auth secret is unnecessary and increases operational risk.

Ssd 4

High
Confidence
99% confidence
Finding
The file frames anti-detection tactics as reusable operational guidance across scenarios, including appearing human, throttling actions, and reacting to verification prompts. This promotes systematic evasion of platform protections, making the skill materially more dangerous because it operationalizes stealth automation rather than merely documenting edge-case handling.

Ssd 2

High
Confidence
98% confidence
Finding
The wording uses benign labels such as 'human-like' and 'rhythm' to describe tactics that reduce detectability of automation, including randomized delays and non-DOM interaction methods. In this skill context—processing recruitment inboxes, downloading resumes, and messaging candidates at scale—such euphemistic framing masks bot-evasion behavior that could facilitate unauthorized mass outreach and scraping.

Ssd 4

High
Confidence
99% confidence
Finding
The document is an end-to-end anti-detection playbook: randomized delays, human-like clicking/typing, batch limits, CAPTCHA tripwires, and strategies to avoid looking scripted. In a recruiting assistant, these measures are not incidental reliability guidance; they are tailored to evade platform bot detection and scale automated messaging under the appearance of manual human activity.

Ssd 2

High
Confidence
98% confidence
Finding
The text explicitly states that the goal is to appear like a real human click pattern rather than choose the simplest implementation, which is a direct evasion objective. This is dangerous because it trains the agent to optimize for avoiding detection rather than for legitimate, policy-compliant automation.

Ssd 2

High
Confidence
98% confidence
Finding
The request-disguise section couches spoofing as ordinary operational practice, but it instructs the use of browser fingerprint headers, fetch metadata, credentials, and alternate download paths specifically to blend automated traffic into normal browser behavior. In context, this is covert identity/session masquerading that can help the skill bypass monitoring, anti-abuse checks, and download restrictions.

Session Persistence

Medium
Category
Rogue Agent
Content
git clone https://github.com/<your-name>/boss-recruit ~/.claude/skills/boss-recruit

# 2) 装配套的 OpenCLI 适配器(零弹窗下载附件简历)
mkdir -p ~/.opencli/clis/boss
cp ~/.claude/skills/boss-recruit/adapters/boss/attachment.js ~/.opencli/clis/boss/

# 3) 确认 OpenCLI 就绪(需先装好 Browser Bridge 扩展并登录 Boss 招聘端)
Confidence
92% confidence
Finding
mkdir -p ~/.opencli/clis/boss cp ~/.claude/skills/boss-recruit/adapters/boss/attachment.js ~/.opencli/clis/boss/ # 3) 确认 OpenCLI 就绪(需先装好 Browser Bridge 扩展并登录 Boss 招聘端) opencli doctor ``` ## 配置飞书目标表(

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.secret_argv_exposure

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
AGENTS.md:23

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
SKILL.md:37