Back to skill

Security audit

职得Offer校园求职助手

Security checks across malware telemetry and agentic risk

Overview

This is a transparent job-search helper that sends user-requested searches to the 职得Offer API using a user-provided key.

Install only if you trust the 职得Offer service with your job and interview search queries. Prefer setting the API key in ZHIDE_OFFER_KEY, keep any config file private, and be deliberate when invoking the skill because some trigger terms are broad.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases include very broad terms like “offer”, “求职”, and “找工作”, which can overlap with ordinary conversation and cause the skill to activate when the user did not clearly intend to use this external job-search integration. Because the skill can then send user queries to a remote service, overbroad activation increases the chance of unintended data disclosure and confusing or unsafe tool use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes sending authenticated requests and user-supplied search terms to a third-party endpoint, but it does not provide a clear user-facing notice that their queries and associated metadata will leave the local environment. This is a privacy and transparency issue: users may enter sensitive job-search, company, or interview-preparation information without realizing it will be transmitted to an external service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.