Back to skill

Security audit

Candidate Assessment

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: reads resumes and job descriptions, evaluates fit, and creates local hiring assessment reports.

Before installing, be aware that the skill may install the unpinned pdfmuse package from the Python package ecosystem and will create local reports containing candidate PII and hiring judgments. Use it in a controlled environment, keep generated reports private, and prefer a pinned/preinstalled dependency setup for production or sensitive recruiting workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return pdfmuse
    except ImportError:
        print("pdfmuse not found -- installing (one-time)...", file=sys.stderr)
        subprocess.run([sys.executable, "-m", "pip", "install", "-q", "pdfmuse"],
                       check=True)
        import pdfmuse  # noqa: F401
        return pdfmuse
Confidence
96% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "-q", "pdfmuse"], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill explicitly instructs running Python scripts, invoking shell commands, and writing outputs such as assessment.json, report.html, and report.pdf, yet it declares no permissions beyond tool requirements. This creates a transparency and policy gap: users and host systems are not clearly informed that the skill will execute commands and write files, which can lead to unsafe execution in environments that rely on declared permissions for trust and containment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill description understates or omits important behavior, including runtime package installation and PDF export via a local browser, while also claiming functionality that is actually delegated to other skills or the model. This mismatch is dangerous because users may approve execution under false assumptions, and hidden dependency installation or browser automation expands the attack surface and can introduce supply-chain or local-environment risks.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
A JD-reading utility should not need to dynamically fetch and install software during normal execution. This creates a supply-chain and environment-manipulation risk: a malicious or compromised package, index, mirror, or installation hook could run arbitrary code under the current user's privileges.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This skill processes resumes and hiring assessments, which commonly contain highly sensitive personal data such as contact details, employment history, education, and evaluative judgments. The absence of any privacy, retention, redaction, or consent guidance increases the risk of mishandling PII and generating sensitive reports that may be stored, opened in browsers, or shared insecurely.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The prompt hard-codes Chinese output and full-width punctuation, overriding likely user language preferences and reducing user control over the skill's behavior. While not a classic security exploit, this is a genuine prompt-safety and policy issue because it can cause unintended output transformations, mishandle downstream consumer expectations, and make the skill less reliable in multilingual contexts.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pdfmuse
Confidence
95% confidence
Finding
pdfmuse

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.