Security audit

Boss Zhipin Watcher

Security checks across malware telemetry and agentic risk

Overview

This skill is partly a BOSS window screenshot tool, but it also contains broad recruiting automation that can click, message candidates, collect resumes, and run workflow commands beyond a simple watcher.

Install only if you intend to grant this skill active control over the BOSS desktop app and recruitment workflows, not just screenshot access. Review and remove the bulk greeting, messaging, resume, offer, shell workflow, and persistent storage pieces unless you explicitly want those actions and can supervise them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (75)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 使用OCR识别内容 try: result = subprocess.run(["node", OCR_SCRIPT, chat_screenshot, "--lang", "chi_sim"], capture_output=True, text=True, encoding='utf-8', errors='ignore') message = result.stdout.strip()
Confidence: 93% confidence
Finding: result = subprocess.run(["node", OCR_SCRIPT, chat_screenshot, "--lang", "chi_sim"], capture_output=True, text=True, encoding='utf-8', errors='ignore')

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if step["tool"] == "exec": command = self.substitute_vars(step["parameters"]["command"]) print(f"执行命令：{command}") result = subprocess.run(command, shell=True, check=True, capture_output=True, text=True) print(f"执行结果：{result.stdout}") elif step["tool"] == "message": message = self.substitute_vars(step["parameters"]["message"])
Confidence: 98% confidence
Finding: result = subprocess.run(command, shell=True, check=True, capture_output=True, text=True)

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The documented workflow expands from passive monitoring into active recruitment automation, including navigation, candidate handling, and enterprise communication. In this context, the mismatch increases risk because a skill framed as a watcher can instead drive sensitive business processes and access personal candidate information without appropriate review or consent controls.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Automated candidate interaction, resume downloading, and enterprise messaging are unnecessary for a screenshot watcher and significantly expand access to personal data and external communications. These capabilities could be misused to exfiltrate resumes, send unauthorized messages, or manipulate recruiting workflows far beyond the user's apparent request to view BOSS content.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The skill's branding and early description emphasize monitoring and screenshots, but later instructions include active UI manipulation and workflow execution. This deceptive framing can cause operators to underestimate the risk, approve the skill too broadly, and expose sensitive recruiting actions or data to unintended automation.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest advertises capabilities well beyond the stated skill purpose of locating and screenshotting a BOSS直聘 desktop window, including recruitment automation, interactions, greetings, replies, and WeChat communication. This scope expansion is dangerous because downstream systems or operators may rely on manifest metadata for trust, routing, or consent decisions, enabling the skill to be invoked for broader automation involving sensitive candidate communications and personal data.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file defines a full recruitment automation workflow—candidate outreach, chat processing, resume collection, printing, phone contact, and offer sending—while the skill metadata claims the skill only recognizes a BOSS desktop window and captures a screenshot. This scope mismatch is dangerous because invoking a seemingly low-risk screenshot skill could trigger broad business actions and handling of sensitive candidate data without clear user awareness or consent.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: These steps automate candidate messaging, filtering, and chat processing under a skill presented as screenshot-only. That creates a hidden action surface where a user requesting to 'look at BOSS chat' could instead cause outbound communications or workflow execution affecting real candidates and external platforms.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Resume collection, printing, phone calls, and offer sending involve sensitive personal data and consequential employment actions that far exceed screenshot capture. Embedding these functions in this skill increases the risk of unauthorized processing of candidate PII, accidental hiring actions, and privacy or compliance violations.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The meeting reminder is unrelated to the skill's declared screenshot purpose, indicating scope creep and poor boundary control. While lower impact than candidate-facing automation, unrelated functionality in a security-sensitive agent increases unpredictability and weakens user trust in what the skill may do when invoked.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file defines a full end-to-end recruiting automation workflow, including candidate outreach, resume handling, phone contact, and offer sending, while the skill metadata claims only BOSS window recognition and screenshot capture. This scope mismatch is dangerous because it can cause the agent to perform sensitive business actions and process personal data far beyond what a user or reviewer would reasonably expect from the declared skill.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The workflow contains outreach, WeChat coordination, candidate response processing, phone contact, and offer-sending actions that are unrelated to a screenshot utility. These actions can trigger external communications and employment decisions, creating substantial risks of unauthorized contact, privacy violations, and unintended real-world consequences if invoked under the guise of a passive desktop-inspection skill.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The comments and top-level description openly describe a comprehensive recruitment workflow, contradicting the screenshot-only metadata presented to users and reviewers. This inconsistency undermines trust and reviewability, and it increases the risk that powerful hidden or under-declared behavior is deployed without appropriate scrutiny or user understanding.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill manifest describes passive window recognition and screenshot capture, but the code implements active GUI automation, OCR-driven data extraction, bulk clicking, and task execution logic. This mismatch is dangerous because a user or platform may grant it screenshot-related trust while it actually performs unsolicited actions inside BOSS直聘, including outreach-like behavior.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: These functions activate the target window and click coordinates inside it, enabling direct manipulation of the BOSS直聘 desktop app. For a watcher/screenshot skill, such UI interaction is unjustified and can trigger unintended actions like contacting candidates, changing state, or interacting with sensitive account content without meaningful confirmation.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The configuration embeds workflow-specific controls and quotas for greetings, WeChat contact actions, resume downloads, and scoring, showing the skill is designed to automate recruiting operations rather than just capture screenshots. In this context, the hidden operational scope increases the chance of unauthorized mass actions, policy violations, and exposure of sensitive hiring data.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The code creates a persistent captures directory and stores operational artifacts even though the manifest does not disclose local retention. Because screenshots and task records may contain candidate identities, chat contents, and hiring activity, undisclosed persistence creates avoidable privacy and data-handling risk.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script goes beyond passive window recognition and single screenshot capture by activating the target app, clicking chat items, and scrolling through multiple views. That behavior materially expands access to additional conversations and candidate data, creating unauthorized UI interaction and bulk collection risk that is not disclosed in the skill description.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The helper functions implement generic in-window clicking and scrolling, enabling the skill to traverse chats and alter application state despite the stated screenshot-only purpose. In a messaging/recruitment context, such automation can expose additional sensitive candidate conversations and may trigger unintended actions in the desktop app.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The module docstring explicitly describes automatic page-turning and click-based screenshot collection, which conflicts with the narrower declared capability of window recognition and screenshot capture. This documentation signals intended overcollection behavior and makes the broader interactive functionality more concerning in context.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This code performs active UI automation clicks even though the skill description says it identifies and screenshots the BOSS直聘 window. Hidden click capability can alter application state, open chats, and interact with user data without clear consent, which is especially risky in a job/recruiting context containing sensitive personal information.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The CLI exposes automation actions such as clicking chat items, message input, and send controls that are not disclosed in the manifest. This creates a capability mismatch where callers may believe they are invoking a screenshot tool but can actually drive parts of the desktop app, enabling unauthorized interaction or accidental message workflows.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Including message_input and send_button targets gives the skill the ability to navigate toward composing and potentially sending messages, which is unrelated to a screenshot-only purpose. In a desktop automation setting, this can be chained with other tooling or future changes to impersonate the user, disclose private information, or manipulate recruiter/candidate communications.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The module runs OCR position-updating logic during import, causing screenshots, temporary file creation, and subprocess execution before the user explicitly invokes a command. Import-time side effects are dangerous because simply loading the module can capture sensitive on-screen content and perform unannounced processing.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The module presents itself as a screenshot tool, but the implementation includes automated clicking and navigation behavior. This misrepresentation increases risk because reviewers, users, or higher-level agents may grant the skill access under a read-only assumption while it can actually modify UI state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal