Back to skill

Security audit

Recruiting Resume Screening

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a legitimate resume-screening helper, but it tells agents to look through prior chats, notes, Downloads, and cache folders for old resumes without a clear approval step.

Install only if you are comfortable with an agent helping locate and process older resume/JD files from prior conversations or local folders. For safer use, provide the exact files yourself, require confirmation before any recovered file is opened, and delete local extracted text, summary, and report files when the hiring review is complete.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The declared purpose is resume screening, but the workflow also performs local PDF extraction, text cleaning, quality scoring, backend comparison, and writes extracted candidate data to disk. That mismatch matters because resumes contain sensitive personal data, and users may not realize the skill is transforming and persisting files beyond simple evaluation, increasing privacy and data-handling risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to recover prior candidate materials by searching conversation history, local notes, and cache/download directories. That expands access beyond files supplied in the current request and can expose sensitive personal data from unrelated hiring workflows or prior users without fresh, explicit authorization.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file contains conflicting guidance: it first says to process only files from the current batch, then later authorizes searching historical caches and notes for prior materials. That contradiction weakens scope boundaries and makes it more likely the agent will over-collect data outside the user's present request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions tell the agent to inspect local cache directories such as ~/Downloads and other common temporary locations for historical attachments, without an explicit warning or permission flow. In a resume-screening context, those directories may contain highly sensitive PII and unrelated documents, so ambient file access is especially risky.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill directs the agent to generate a local markdown report file before sending it back, which creates a data-at-rest artifact containing candidate evaluations. While likely operationally motivated, writing hiring assessments to disk can leave sensitive personal data in local storage without disclosure, retention controls, or cleanup.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs storing extracted resume text and summary artifacts to disk, including per-resume .txt outputs and summary.json, without any explicit warning that these files contain sensitive personal data. In a recruiting context, resumes commonly include PII such as names, phone numbers, email addresses, employment history, and education records, so writing them to shared or persistent temporary locations can create unintended data exposure and retention risks.

Ssd 3

High
Confidence
97% confidence
Finding
The recovery workflow instructs the agent to retrieve prior user files and details from conversation search, local notes, and cache directories when re-evaluating earlier batches. This is a form of cross-session data access and persistence reuse that can bypass normal user intent boundaries and expose confidential resume and hiring information from prior interactions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.