AI Upwork Proposal Writing & Job Tracking System

Security checks across malware telemetry and agentic risk

Overview

This is a local Upwork proposal drafting and tracking skill that stores proposal data on disk but shows no hidden network access or automatic submissions.

Install only if you are comfortable storing your Upwork profile details, job data, drafts, and outcomes in local skill files. Keep those files private, avoid adding secrets, and review every proposal before manually submitting it on Upwork.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Natural-Language Policy Violations

Medium

Confidence: 83% confidence
Finding: The file explicitly instructs that certain proposal openings and styles 'will never' be used, which constrains agent output toward a fixed communication style without any visible user opt-in or preference check. While this is marketing guidance rather than overtly malicious behavior, it can override user autonomy, misalign with user intent, and cause the agent to present proposals in a voice the user did not choose.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrase is broad enough that ordinary user conversation could accidentally activate the skill's proposal-drafting workflow. In an agent setting, ambiguous activation can cause unintended processing of pasted content and unintended reads/writes to the skill's local tracking files, which is a real security and safety boundary issue even though the skill is otherwise local-only.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal