Interviewly

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward mock-interview API skill, but users should treat interview answers and reports as sensitive data sent to a remote service.

Install only if you are comfortable sending interview content to Interviewly/toolweb and Claude for evaluation. Avoid submitting secrets, confidential employer information, or highly sensitive personal details, and protect session IDs and report URLs because the artifacts do not explain retention, deletion, authentication, or link expiration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly describes sending sensitive candidate data, including user identifiers and free-form interview responses, to a third-party remote API but provides no privacy notice, retention details, consent guidance, or data-handling constraints. Because interview responses can contain personal, employment, or confidential information, this omission creates a real privacy and compliance risk rather than a purely informational issue.

External Transmission

Medium

Category: Data Exfiltration
Content: { "success": true, "overall_score": 78, "report_url": "https://api.toolweb.in/api/v1/download/sess_a1b2c3d4e5f6", "message": "Interview completed. Report generated successfully." } ```
Confidence: 88% confidence
Finding: https://api.toolweb.in/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal