Job Lead Radar

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed job-board scraping skill that saves results locally, with no evidence of hidden credential use, exfiltration, destructive behavior, or privilege escalation.

Install only if you want a tool that makes outbound requests to job sites and saves scraped results locally. Review the `scrapling` dependency and the target sites' terms, and use the cron examples only if you intentionally want scheduled scraping.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes very generic phrases such as "job openings," "hiring now," and "career page," which can match ordinary user requests and cause the skill to run when the user did not explicitly ask for scraping. Because this skill performs external web scraping and scheduled collection, unintended invocation can lead to unnecessary network activity, unexpected data collection, and actions the user did not clearly authorize.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The skill documents that results are saved to `job_leads.json`, but the description and invocation guidance do not clearly warn users up front that running the skill writes collected data to local storage. This can create a transparency and consent problem, especially on shared systems or automated environments where users may not expect persistent files to be created.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal