Indeed Brightdata

Security checks across malware telemetry and agentic risk

Overview

The skill generally does what it says, but its cleanup code can delete files named in a local history file instead of limiting deletion to its own results folder.

Review before installing. This skill needs your Bright Data API key, sends Indeed search inputs and URLs to Bright Data, and stores cache, pending jobs, history, and results under ~/.config/indeed-brightdata/. The main local risk is the cleanup routine: if history.json is modified, it could delete an arbitrary file accessible to your user account. Prefer a version that constrains cleanup to the managed results directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README explicitly states that data is sent to the Bright Data API, but it does not clearly warn users that job-search terms, URLs, and potentially company-research inputs will be transmitted to a third-party service. In an agent-skill context, users may assume searches are local or platform-native, so the lack of prominent disclosure can lead to unintended sharing of sensitive recruiting, employment, or research data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal