Security audit

第二阶段：面试前匹配度分析

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed HR document workflow for comparing resumes against job descriptions and generating a matching report.

Install this only if you intend to process candidate resumes and job descriptions for HR interview preparation. Because resumes contain personal data, use it with appropriate authorization and confirm intent when a request is just a generic matching-report task.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrase is broad enough to activate on generic requests for analysis reports or matching reports, which can cause the wrong skill to run outside its intended context. In an agent system, overbroad routing can expose user documents to unintended processing paths, produce incorrect outputs, and bypass more appropriate workflow or consent checks.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The skill metadata and body require Chinese output without checking the user's language preference, which can override user intent and reduce transparency about how their data will be processed. While not directly enabling code execution or data exfiltration, it can cause unauthorized transformation of output format and create usability, accessibility, or compliance issues in multilingual environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.