求职技能顾问

Security checks across malware telemetry and agentic risk

Overview

This career-advice skill is simple, but it publishes a payment API key and unclear per-use billing details, so it should be reviewed before installation.

Review this skill before installing. The advisory career guidance content is ordinary and there is no executable code, but the publisher should remove and rotate the exposed payment/API key and clearly document whether using the skill can trigger charges and how users authorize them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill documentation includes what appears to be a real API/payment secret key directly in the markdown, even though the skill's stated purpose is career advice and does not require exposing backend credentials to users. Hardcoded secrets in public-facing documentation can be harvested and abused for unauthorized charges, account access, or service impersonation.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The markdown exposes payment-related configuration and an API key without any security boundary, warning, or need for end-user visibility. Because this is a job-advice skill, embedding a live credential is especially suspicious and increases the likelihood of credential theft, fraudulent usage, or abuse of a linked billing account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal