Back to skill

Security audit

Indeed Search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward job-search helper that uses a RolesAPI key to fetch Indeed listings from an external API.

Install this only if you are comfortable giving the skill a RolesAPI key and sending your job-search keywords and locations to RolesAPI. Be aware that searches consume RolesAPI credits, especially when using multi-page options.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior requires reading an environment variable and making outbound network requests to RolesAPI. This mismatch can mislead users and policy engines about the skill's actual capabilities, reducing transparency and making it easier to approve or run the skill without understanding its data access and exfiltration surface.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.