dataify-indeed-job-listings

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Dataify helper for collecting Indeed job listings, but users should handle the Dataify token carefully.

Install only if you intend to send Indeed job URLs to Dataify. Prefer setting DATAIFY_API_TOKEN through a secure local secret mechanism or environment variable instead of passing it with --token, and review the confirmation table before approving any API call.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill instructs the agent to access environment variables and make outbound network/API calls, but it does not declare permissions for those capabilities. This creates a trust and enforcement gap: a reviewer or runtime may not realize the skill can read secrets such as DATAIFY_API_TOKEN and send data to an external service, increasing the risk of unintended secret use or data exfiltration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal