Singapore Maid Search

Security checks across malware telemetry and agentic risk

Overview

This is a narrow Sunrise Link maid-search skill, but it asks for and displays sensitive hiring attributes without enough safeguards.

Review before installing or using. Use the skill only if the Sunrise Link source is trusted and any filters involving religion or nationality are lawful, necessary, and appropriate; avoid entering unrelated private details, and treat profile links as external pages that may expose more personal information than the API response.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly solicits sensitive preference attributes such as nationality and religion/dietary restrictions without any guardrails about lawful, fair, or non-discriminatory use. In an employment-matching context, this can facilitate discriminatory hiring decisions and cause legal, compliance, and reputational harm, especially because the assistant is instructed to operationalize those preferences into search filters.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The guide explicitly directs consumers to use the candidate `profileUrl` for the full profile while simultaneously emphasizing that the API excludes PII. That creates a privacy boundary ambiguity: an agent may treat the linked profile as a safe extension of the API and surface or retrieve additional personal data from the website without user awareness or policy checks.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal