Talent Profile Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a text-only hiring-analysis helper that uses public job-market information and does not install code, persist data, or request credentials.

Before installing, consider whether you want a skill that may proactively search public job postings for hiring analysis and that defaults to Chinese output. It should not be used to scrape gated recruiting sites, bypass access controls, or collect personal candidate data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The activation description is broad enough to trigger on common requests about job titles, company culture, or benchmarking job posts, which can cause the skill to activate when the user did not specifically ask for talent-profile generation. Over-broad routing can lead to unintended tool use, irrelevant collection of external job-market data, and responses that steer the conversation into hiring analysis without sufficient user intent confirmation.

Natural-Language Policy Violations

Low

Confidence: 84% confidence
Finding: Defaulting to Chinese output without checking the user's language preference can cause user-intent mismatch and reduce transparency, especially in multilingual environments. While not a direct security flaw, it can degrade reliability and may create downstream errors if users assume the system will preserve their requested language or locale.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal