Back to skill

Security audit

Interview Prep

Security checks across malware telemetry and agentic risk

Overview

The skill appears to use a local job-analysis service in a purpose-aligned way, with privacy caveats around what job data is sent.

Install only if you trust the local job-analysis service the skill calls. Treat job descriptions and company details as potentially sensitive, confirm what local process is listening on the endpoint, and avoid submitting confidential or private hiring material unless that service’s storage and logging behavior is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to transmit job-related data, including company, role title, and full JD text, to a local HTTP service without any user notice, consent step, or data-minimization guidance. Even though the endpoint is localhost, it is still an external process boundary; sensitive hiring data could be exposed to an unintended local service, logged, or handled by a less-trusted component.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.