Security audit

guolingqiu work experience

Security checks across malware telemetry and agentic risk

Overview

This is a content-only career guidance skill with some disclosed tone and activation concerns, but no evidence of hidden, destructive, or data-exfiltrating behavior.

Install this if you want Chinese-language resume and interview help based on the included work-experience dataset. Be aware that it is written for a specific audience and tone, so users outside that group may need to ask the agent to respond neutrally or adapt the advice to their own real experience.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The example invocation phrases are broad everyday requests such as asking for resume help or interview simulation, which can cause the skill to trigger during ordinary conversation even when the user did not explicitly intend to invoke it. This creates an overbroad activation surface that may unexpectedly steer conversations, expose embedded guidance, or override a more appropriate skill.

Natural-Language Policy Violations

Medium

Confidence: 78% confidence
Finding: The README presents the skill entirely in Chinese and frames the interaction style and usage without offering the user a language choice or opt-in. In practice this can reduce user agency and cause mismatched responses for users expecting another language, though it is primarily a usability and consent issue rather than a direct security flaw.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill’s trigger conditions are broad enough to match generic career-help queries such as resume writing, interview prep, or work-experience analysis, which can cause unintended activation outside the narrow scope of this specific biography-based skill. This is risky because the assistant may inject specialized guidance, assumptions, or persona constraints when the user did not request this skill, leading to irrelevant, biased, or lower-quality responses.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The skill explicitly targets ‘90%’ young female job seekers and mandates a gender-coded response style without checking whether the current user wants that framing. This can impose unwanted assumptions about identity and preferred tone, making responses exclusionary or inappropriate for users outside that demographic and potentially resulting in discriminatory personalization.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The repeated requirement to address users as 20–25-year-old women in a ‘senior school-sister’ style reinforces identity-based assumptions throughout execution, increasing the chance that the assistant will apply a mismatched persona even when the user did not consent to it. Repetition in the instructions makes the behavior more persistent and therefore more likely to affect outputs across many otherwise unrelated career-support interactions.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The description explicitly states that 90% of target users are '20~25岁女生求职者', which hard-codes a demographic focus without any indication of user choice or inclusive fallback behavior. This can lead to biased tailoring, exclusionary responses, or inappropriate assumptions about users’ gender and age, especially in a career guidance context where personalization should be based on explicit user-provided preferences rather than inferred demographics.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal