ClawHub

Dataify Google Jobs

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Google Jobs API helper, but it deserves review because it handles a Dataify API token and may expose it via command-line arguments while sending job-search details to a third-party API.

Review before installing. Use DATAIFY_API_TOKEN from your environment instead of passing tokens on the command line, confirm that you understand every parameter before approving a call, and avoid putting sensitive job-search or location details into queries unless you are comfortable sending them to Dataify.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is overly broad: it activates not only on an explicit command ('Call Google Jobs') but also when the user merely specifies job-search fields. That can cause unintended skill invocation and external API calls for ordinary job-related conversation, increasing the risk of data leakage, unexpected network access, and user surprise.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Forcing a Chinese-language parameter table regardless of the user's language can mislead users about the parameters they are approving, especially in a confirmation step that gates an API call. This weakens informed consent and increases the chance of accidental approval of incorrect or privacy-sensitive parameters.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script sends user-provided search terms and related parameters such as location to an external third-party API, but it does not present any explicit warning or confirmation that this data will leave the local environment. In an agent-skill context, users may assume searches are local or first-party, so silent transmission can create privacy and data-handling risk, especially if queries contain sensitive job-seeking or location information.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal