Back to skill

Security audit

Career Hunter

Security checks across malware telemetry and agentic risk

Overview

This is a coherent job-search helper that saves career-related files locally, so its main risk is privacy handling of sensitive personal job data.

Before installing, be comfortable with the assistant creating local files that may include job targets, referrals, salary notes, resume content, and cover letters. Use a private machine or protected folder, review generated content before sharing it, and delete the tracker or documents when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases include broad, everyday terms like "job search" and "career," which can cause the skill to activate in contexts where the user did not intend to invoke it. Unintended invocation is risky here because the skill is authorized to handle sensitive employment data and perform persistent local writes, increasing the chance of accidental collection or storage of personal information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs storage of application data in ~/.openclaw/job-tracker.json without informing the user that personal employment information will be persisted to disk. This can expose sensitive data such as job targets, notes, referrals, and salary expectations to other local users, backups, or later unintended reuse.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill saves resumes and cover letters locally, but does not notify the user that highly sensitive personal and employment data will be written to disk. Resume and cover-letter files often contain full identity, contact details, work history, and targeting information, so silent persistence creates privacy and data-retention risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.