Openjobs People Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent recruiting integration, but it should be reviewed because it handles API keys and can unlock candidates' email addresses without enough safeguards.

Review before installing. Use a secure way to provide MIRA_KEY, avoid printing or pasting real keys into chat or shared terminals, and only unlock candidate emails when you have a legitimate recruiting purpose and can handle the data under applicable privacy, consent, and platform rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill enables unlocking personal contact information for candidates and presents it as a routine operation, but it provides no privacy, consent, or authorized-use warning. In a recruiting context, exposing personal email data without guardrails increases the risk of misuse, privacy violations, and collection of personal data beyond the user's legitimate purpose.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to check for and export an API key directly in the shell without any warning about secret exposure, shell history, logging, or safer credential storage. This can lead to accidental disclosure of the key through terminal history, shared sessions, process inspection, or copied transcripts, enabling unauthorized API use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal