ClawHub

Liepin Jobs

Security checks across malware telemetry and agentic risk

Overview

This Liepin job-search skill is mostly coherent, but it can act on a real account with a stored token, submit applications, edit resume data, and invoke arbitrary Liepin MCP tools without enough built-in safeguards.

Install only if you are comfortable granting access to your Liepin account and resume. Use the default Liepin MCP endpoint, protect the saved token, avoid the generic call command unless you know the exact remote tool being invoked, and require a clear manual confirmation before any resume update or job application.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The generic `call` subcommand allows invocation of any remote MCP tool name with arbitrary JSON arguments, which exceeds the skill's declared scope of job search, application, and resume management. If the remote MCP server exposes additional sensitive tools, this CLI becomes a confused-deputy interface that can trigger unintended actions against the user's authenticated account.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Enumerating all remote tools via `tools/list` is not inherently unsafe, but in this skill it exposes capabilities beyond the stated purpose and helps discover potentially sensitive operations available to the authenticated user token. Combined with unrestricted invocation elsewhere, it increases the likelihood of misuse by making hidden or undocumented tools easy to identify.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are extremely broad and map to common job-seeking language such as '找工作', '求职', and '简历', increasing the chance the skill activates in ordinary conversation without the user intending to use this specific tool. Because the skill can read and modify resumes and submit applications, overbroad invocation raises the risk of privacy-impacting actions or unwanted external requests being initiated from ambiguous prompts.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The default prompt grants broad job-search and resume-management behavior without clearly constraining when the skill should activate or what actions require explicit user confirmation. In combination with implicit invocation, this can cause the agent to over-apply the skill in unrelated contexts or take higher-risk actions such as resume review/application preparation based on ambiguous user requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
`update-resume` performs a state-changing operation on the user's profile immediately after parsing caller-supplied JSON, without any confirmation, preview, or warning. In an agentic context this is risky because malformed input, prompt injection, or simple user misunderstanding can silently overwrite important resume data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
`apply-job` submits a real application immediately using authenticated user context, with no confirmation or warning despite being an irreversible or high-consequence action. In an agent skill, this creates a meaningful risk of accidental submissions to the wrong jobs or mass unintended applications if invoked by another system component.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal