Back to skill

Security audit

recruitment-assistant

Security checks across malware telemetry and agentic risk

Overview

This is a coherent resume-screening helper, but it handles sensitive candidate data and generated hiring reports that users must protect.

Install only if you are authorized to process the resumes involved. Keep job folders and generated reports access-controlled, avoid sharing reports beyond the hiring team, review or redact unnecessary PII, and confirm your agent/model setup meets any requirement that candidate data stay local.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly promotes generating and sharing interview reports derived from resumes, which contain sensitive personal data, but it does not provide guidance on access control, minimization, retention, or safe sharing practices. In a recruitment context, this can lead to privacy violations, over-disclosure of candidate PII, and noncompliance with data protection obligations even if processing is local.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description says it should trigger whenever a user wants to screen resumes, evaluate candidate fit, or prepare interview questions, but it does not clearly constrain scope or require explicit confirmation before accessing local files. In an agent environment, broad trigger phrasing can cause the skill to activate during ordinary HR discussion and begin processing folders containing sensitive candidate data without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill processes resumes and extracts highly sensitive personal data such as names, contact details, education, and work history, yet it does not prominently warn users that this information will be read, analyzed, and written into generated reports. This increases the risk of accidental over-collection, unauthorized internal sharing, and creation of derivative files containing personal data without informed user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal