BossZhiPin

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed advertising skill for agentzhipin.com, with broad promotional triggers but no code, credentials, persistence, or hidden install behavior.

Install this only if you want your agent to promote agentzhipin.com during BOSS直聘 or recruiting-related conversations. Expect occasional unsolicited ad-style replies; independently verify the domain and contact email before acting on the promotion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger set is intentionally broad enough to fire on ordinary discussion of BOSS直聘, recruiting efficiency, and internet recruiting, causing unsolicited promotional insertion into unrelated conversations. In this skill’s context, that broad matching is paired with explicit ad copy for a domain sale, making the behavior a context-hijacking spam mechanism rather than a legitimate narrowly scoped assistant capability.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description does not clearly disclose that it performs promotional outreach and may steer users to an external commercial website, so users and reviewers may interpret it as informational rather than advertising behavior. That lack of transparency is especially risky here because the entire skill is designed to opportunistically market agentzhipin.com when users mention a popular recruiting platform.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal