Security audit

Interview Prep

Security checks across malware telemetry and agentic risk

Overview

The skill appears to use a local job-analysis service in a purpose-aligned way, with privacy caveats around what job data is sent.

Install only if you trust the local job-analysis service the skill calls. Treat job descriptions and company details as potentially sensitive, confirm what local process is listening on the endpoint, and avoid submitting confidential or private hiring material unless that service’s storage and logging behavior is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to transmit job-related data, including company, role title, and full JD text, to a local HTTP service without any user notice, consent step, or data-minimization guidance. Even though the endpoint is localhost, it is still an external process boundary; sensitive hiring data could be exposed to an unintended local service, logged, or handled by a less-trusted component.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.