Back to skill

Security audit

Job Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a local job-application tracker whose disclosed SQLite storage matches its purpose.

Install only if you are comfortable keeping job-search records, recruiter contact details, and notes in a local SQLite database under the skill directory. Avoid storing unnecessary sensitive information, especially on shared, backed-up, or synced devices, and remove the .runtime/job-tracker.db file when you no longer want the saved data retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes a local Python helper through shell commands but does not declare any corresponding permissions, creating a mismatch between documented behavior and the security model. Even though the demonstrated commands appear narrowly scoped to a local SQLite job tracker, undeclared shell capability increases risk because an agent may execute commands without clear user or platform consent boundaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.