Jobautopilot Tailor

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised resume-tailoring workflow, with expected access to resume files, contact details, job listings, and local output files.

Install only if you are comfortable giving the skill access to your configured resume folder, job tracker, and personal contact details. Keep RESUME_DIR limited to career documents you want processed, verify the template URL before using it, and review generated resumes and cover letters before sending them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill directs the agent to create resume and cover-letter files and to update the job tracker state, but it does not prominently warn users that local files and tracker records will be modified. In a workflow that processes sensitive career data, silent state changes can cause data integrity issues, accidental overwrites, or unintended disclosure through generated documents.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill requires sensitive personal-data environment variables such as full name, email, phone, and LinkedIn URL, but it does not explicitly disclose that these values will be accessed and embedded into generated application documents. Because the skill also uses web and browser tools, undisclosed handling of personal data increases privacy and misuse risk even if exfiltration is not explicitly instructed here.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal