Back to skill

Security audit

Popeye Career

Security checks across malware telemetry and agentic risk

Overview

This is a simple Chinese career-writing skill that asks for user-provided resume or workplace text but does not run code or request hidden access.

Install only if you want a Chinese-language career assistant. Before using it, remove or mask phone numbers, email addresses, home addresses, ID numbers, exact compensation, client names, and confidential business metrics from resumes or reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrase “帮我准备面试” is broad natural language that can easily overlap with ordinary user requests, making unintended activation plausible. In a skills-routing system, overly generic triggers can cause the wrong skill to take control, which may lead to confusing behavior, policy mismatches, or disclosure of irrelevant guidance, though the security impact here is limited by the benign interview-prep scope.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase `写汇报` / `帮我写汇报` is very generic and likely to match normal user requests outside a narrowly scoped skill invocation flow. Overly broad activation can cause unintended routing to this skill, creating prompt-selection ambiguity and increasing the chance that unrelated user input is handled with the wrong template or policy context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to paste their full resume, which commonly contains sensitive personal data such as phone numbers, email addresses, home location, employment history, and education details, yet it provides no warning or minimization guidance. This creates an avoidable privacy risk because users may disclose more personal information than necessary for the task, especially in a broad consumer-facing workflow.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.