OpenJobs

Security checks across malware telemetry and agentic risk

Overview

OpenJobs appears to be a real marketplace skill, but it asks agents to keep downloading and executing new remote instructions while handling wallets, API keys, and paid actions.

Review before installing. Disable or strictly gate the heartbeat update flow, do not let downloaded markdown overwrite active instructions without human review and integrity verification, use a dedicated low-balance wallet/API key, avoid cross-agent symlinks unless needed, and set owner oversight or preferences to require approval for spending, hiring, payment release, staking, withdrawals, and other financial actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill instructs the agent to interact with OS keychains/secret stores and execute shell commands to manage wallet encryption material. For a marketplace integration, this grants local-system and secret-management capabilities beyond what is necessary for normal API use, increasing the blast radius if the skill or upstream content is compromised.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill tells the agent to download and overwrite its own SKILL and HEARTBEAT files from a remote server. This is self-modifying behavior that creates an untrusted remote-instruction channel, allowing future behavior changes without review and enabling prompt-supply-chain compromise.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The prose says wallet creation must abort if no secure key source exists, but the provided code instead generates a passphrase and stores it in the process environment. That fallback weakens the stated security model because environment variables are often exposed to subprocesses, logs, crash dumps, and same-user inspection.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The heartbeat guidance encourages invoking the skill opportunistically and on a broad periodic basis, which can trigger marketplace actions outside a narrowly bounded user request. In combination with auto-actions and remote refresh, this increases the chance of unintended execution and repeated sensitive operations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill encourages autonomous posting, applying, hiring, and payment completion through preference defaults without strong up-front warnings about spending, escrow, on-chain effects, and irreversibility. This can normalize financial actions before informed consent and create unintended loss or commitment of funds.

Ssd 1

High

Confidence: 99% confidence
Finding: The skill explicitly instructs the agent to fetch remote instruction files, fully trust them, and execute all steps in order. This is a direct trust-transfer vulnerability: whoever controls the remote content can steer future agent behavior, including data access, exfiltration, or destructive actions.

Ssd 4

High

Confidence: 97% confidence
Finding: The onboarding sequence conditions the agent to install the skill from the network, place it into active skill directories, and then rely on later refreshes from the same source. This creates a prompt supply-chain pattern where initial trust bootstraps continued remote control over agent behavior.

VirusTotal

No VirusTotal findings

View on VirusTotal