Technical Writer

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate career-assessment tool, but it should be reviewed because it handles identifiable career-profile data without enough privacy and retention disclosure.

Before installing, confirm where career assessment data is sent and stored, how long it is retained, and how deletion works. Avoid sharing unnecessary identifiers, exact employers, salary details, or sensitive personal history unless you trust the provider and need that detail for the assessment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill requests and documents collection of detailed career-assessment data together with persistent tracking fields such as sessionId, timestamp, prior roles, and optionally userId, but provides no privacy notice, retention limits, or guidance on handling personal data. This creates a real privacy and compliance risk because users or integrators may transmit identifiable profiling data to a third-party API without informed consent or minimization controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal