Security audit

CareerMax

Security checks across malware telemetry and agentic risk

Overview

CareerMax is a coherent integration skill for using a user's CareerMax account, with API-key use and confirmation for lasting changes disclosed.

Install only if you intend to connect a CareerMax account. Use a dedicated CareerMax agent key, keep CAREERMAX_API_KEY in secure environment storage, and ask the agent to show credit costs before actions where that matters to you.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The invocation description is broad enough to match many ordinary career-related user requests, which can cause the skill to activate in situations where it is not clearly needed. Because the skill can access an external CareerMax account and perform state-changing actions after confirmation, overbroad triggering increases the chance of unnecessary data exposure, unintended tool use, or user confusion about where their information is being sent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal