Job Search

Security checks across malware telemetry and agentic risk

Overview

This job-search skill is broadly coherent, but it should go to Review because it under-discloses mock job results, local persistence/export behavior, and scraping-evasion guidance.

Install only if you are comfortable with this skill sending job-search keywords and locations to third-party recruitment sites, saving job-search artifacts locally, and potentially returning simulated listings. Treat results as unverified, avoid using sensitive search terms, and review or disable the scripts that generate mock data, save exports automatically, or suggest anti-bot bypass techniques.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (36)

Tainted flow: 'filename' from input (line 380, user input) → open (file write)

Medium

Category: Data Flow
Content: save = input("\n是否保存结果到文件? (y/n): ").strip().lower() if save == 'y': filename = f"jobs_{keyword}_{city}.txt" with open(filename, 'w', encoding='utf-8') as f: f.write(output) print(f"结果已保存到: {filename}")
Confidence: 90% confidence
Finding: with open(filename, 'w', encoding='utf-8') as f:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill declares no permissions while its documented implementation and static analysis indicate network access plus local file read/write behavior. This creates a transparency and trust problem: users or hosting systems may authorize a seemingly low-risk skill that can access the network and create artifacts on disk, increasing the chance of unintended data exposure or unauthorized persistence.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The declared purpose is a job-search skill, but analysis indicates substantially broader behavior including mock result generation, local database creation, exports to JSON/CSV, disk artifact creation, and testing/stress utilities. This mismatch is dangerous because users and reviewers may consent to a simple search tool while actually running a skill that stores data locally, produces misleading synthetic results, or performs auxiliary behaviors with higher operational and privacy risk.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The deployment guide explicitly recommends proxy use and Selenium browser automation as escalation steps when a target site blocks requests. In the context of a job-search skill, this moves from ordinary retrieval into anti-bot evasion guidance, which can facilitate unauthorized scraping and reduce operator visibility into policy and legal boundaries.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The guide adds SMTP email notification capability even though the skill is described as search-only. That creates an unnecessary outbound communication channel that can be repurposed to exfiltrate scraped data or send unreviewed job data externally, expanding the skill's capability beyond its declared scope.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script explicitly suggests bypass tactics for anti-bot defenses, including adding more spoofed headers, using proxy IPs, and browser automation. In a job-search skill, this materially increases the likelihood of unauthorized scraping against third-party platforms and can facilitate abuse, account blocking, legal exposure, or escalation into more evasive collection behavior.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill advertises search across major Chinese recruitment platforms, but this code primarily searches a local database and fills gaps with fabricated mock listings. In a job-search context, this is dangerous because users may rely on non-existent or stale opportunities, leading to deception, wasted effort, or downstream misuse of fake employment data.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The code permits manual insertion and persistent storage of job records even though the skill is described as a search tool. In this context, that expands the trust boundary: unverified records can be inserted into the local database and later surfaced as search results, enabling poisoning of job data, fake listings, and misleading outputs.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill explicitly includes anti-scraping evasion behavior via rotating User-Agent values and deliberate delays to avoid detection. In the context of a job-search skill, this goes beyond normal request handling and can facilitate unauthorized scraping or circumvention of platform protections, increasing legal, operational, and abuse risk.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The code advertises support for three recruitment platforms but only performs a real search against 前程无忧; BOSS直聘 and 智联招聘 always return fabricated mock data. This is a security-relevant integrity issue because downstream users or agents may treat invented listings as real and make decisions, recommendations, or exports based on false information.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The comments and method names imply that the code is attempting real searches for BOSS直聘 and 智联招聘, but the implementation unconditionally returns mock data. Misleading internal semantics increase the chance that maintainers, reviewers, or calling agents will incorrectly trust the provenance of the results.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The module explicitly states it is designed to handle cookies and anti-scraping defenses, and it mimics a real browser with crafted headers plus staged requests and randomized delays. In a job-search skill, this goes beyond ordinary API/client behavior and can facilitate bypassing a site’s access controls or terms-enforced scraping restrictions, increasing legal, operational, and abuse risk.

Description-Behavior Mismatch

Low

Confidence: 86% confidence
Finding: The code saves remote HTML content from a third-party site to a local file without the behavior being part of the stated search functionality. While not direct code execution, this can unintentionally retain third-party content, tracking artifacts, or sensitive search-result data on disk, creating unnecessary data exposure and privacy risk.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill can write search results to an arbitrary local path supplied by the caller, which goes beyond a narrowly scoped job-search capability and introduces filesystem side effects. In an agent context, this can be abused to overwrite user files or place data in sensitive locations if untrusted prompts or tool invocations can influence the output path.

Context-Inappropriate Capability

Low

Confidence: 79% confidence
Finding: The export function writes full search results to local JSON/CSV files without any access control, path restrictions, retention controls, or explicit user consent flow. In a job-search context, results may contain sensitive search preferences or employer-related data, so silent persistence increases local privacy and data-handling risk even if it is not severe on its own.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The script generates a hard-coded stress test report that declares success, stability, and production readiness regardless of the actual outcomes of the preceding tests. This can mislead operators into trusting unvalidated reliability claims, causing insecure or unstable code to be promoted to production without proper review.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This section explicitly recommends and generates mechanisms to evade anti-bot protections, including header spoofing, user-agent rotation, retries, delays, and browser automation as a fallback. That goes beyond a legitimate job-search test harness and materially enables stealthier scraping of third-party services, increasing legal, operational, and abuse risk.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script fetches a live third-party search page and saves the full HTML locally for reverse-engineering and parser repair. In the context of a 'job search' skill, this expands behavior into scraper maintenance and site analysis, which can facilitate unauthorized extraction and persistence of third-party content.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: This code writes a new local Python script whose purpose is to enhance scraping success via browser-like headers, retries, and timing behavior. Generating tooling that operationalizes stealthier access crosses from testing into capability creation for bypassing access controls on third-party sites.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README shows very broad natural-language triggers such as '搜索 Python开发北京' and multiple variants without clearly constraining when the skill should activate versus ordinary conversation. In an agent setting, overly permissive trigger phrasing can cause unintended invocation, unexpected outbound requests to third-party job sites, and leakage of user intent or context into searches the user did not explicitly authorize.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The guide instructs saving scraped HTML to a local file for analysis without discussing retention, sensitivity, or cleanup. While this is common for debugging, it can store site content or personal data on disk unexpectedly and create a privacy or data-handling issue if logs and artifacts are retained insecurely.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The skill sends user-provided search terms and city data to third-party job platforms without any explicit privacy notice or consent flow beyond normal prompts. In a job-search context, these inputs may reveal employment interests, location, or sensitive job-seeking behavior, so undisclosed transmission creates a real privacy risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The tool sends user-supplied search terms to external recruitment sites without an explicit user-facing warning or consent flow. Search keywords can contain sensitive intent, employer names, project names, or personal job-seeking information, so silent transmission creates a privacy risk in agent-driven environments where users may not realize external requests occur.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script automatically writes search results to JSON and CSV files after execution without prior warning or confirmation. In shared or managed environments this can leave potentially sensitive job-search history and employer/keyword data on disk, creating avoidable privacy and data-handling risks.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script writes fetched page content to a local HTML file before giving any meaningful warning or obtaining consent. In the context of a search skill, silent local persistence can surprise users and may leave behind browsed content, identifiers, or other remote page data that another local user or process could access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal