review simulate

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Chinese voice-interview practice skill that uses external AI speech/text services and saves local reports as part of its stated function.

Use dedicated API keys, confirm you trust the configured LLM/ASR/TTS providers, avoid sharing confidential employer or identity details during practice, and delete the outputs/ directory or custom report file when it contains sensitive interview content. Use --no-tts or text input when you want to reduce audio generation or audio upload.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script uploads user-provided audio answers to an external ASR service without an explicit just-in-time disclosure or consent prompt when the transfer occurs. In an interview-practice context, responses may contain personal identifiers, employment history, or other sensitive data, so silent transmission increases privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Interview questions, summaries, and final evaluation content are sent to an external TTS provider and the resulting artifacts are stored on disk without a clear privacy notice. Because interview sessions can include sensitive career and self-description details, exporting and persisting this data can expose users to unintended disclosure on shared systems or through third-party processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal