Back to skill

Security audit

Upwork Proposal Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a narrow writing-assistance skill for drafting Upwork proposals, with only a minor risk of being invoked too broadly.

Install if you want help drafting Upwork proposals, but review the generated proposal yourself before using it. Avoid pasting private client details or sensitive personal information unless you are comfortable having the agent process that text, and prefer explicit requests like “generate an Upwork proposal for this job post” to avoid accidental activation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation rule is overly broad because it triggers whenever a user sends any job post link or job-related text, without clear scoping, consent, or exclusions. In an agent environment, this can cause unintended invocation, processing of irrelevant or sensitive content, and surprise actions on user input that merely resembles a job post.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.