Openjobs Jobs Search

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OpenJobs AI job-search skill, but its setup instructions can expose the user's API key by printing or pasting it insecurely.

Install only if you trust OpenJobs AI and are comfortable sending job-search filters to its API. Do not run `echo $MIRA_KEY` or paste the key into chat; configure it through a secure secret or environment mechanism, and rotate the key if it has already been printed or logged.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs reading `MIRA_KEY` from the environment and asks users to paste/export the API key, but it provides no warning about safe credential handling, storage, shell history exposure, or avoiding disclosure back to the model/UI. In an agent setting, this can normalize unsafe secret handling and increase the chance of accidental credential leakage or reuse in an untrusted context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to send user-supplied search parameters and an authorization header to `mira-api.openjobs-ai.com`, but it does not disclose to the user that their query content will leave the local environment and be processed by a third-party service. This creates a privacy and consent issue, especially if users include sensitive employment preferences, company targets, or location data in searches.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal