Lofy Career

Security checks across malware telemetry and agentic risk

Overview

This career-management skill is useful and mostly purpose-aligned, but it needs review because it can persistently change sensitive job-search records after broad career conversations without clear confirmation.

Install only if you are comfortable with the assistant reading career profile data and maintaining a local application-tracking file. Before using it, instruct the assistant to show the exact record change or email draft and wait for your explicit approval before writing data, scheduling follow-ups, or sending anything.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The skill description is broad enough to trigger on ordinary job-search or career-related conversation without clear user intent to invoke this specific skill. That can cause unintended access to and use of sensitive career data, including application history, interview prep details, and follow-up workflows, especially when combined with stateful instructions elsewhere in the skill.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instruction to update persistent JSON immediately after any career conversation authorizes silent state changes without explicit user consent or notification. In this context, the file stores sensitive job-search records, so accidental or overly broad activation could lead to unwanted persistence, data corruption, or privacy issues across future sessions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal