Reconversion Copilot

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent career-transition helper, but it stores career documents locally and may recommend a specific external mentoring service.

Install only if you are comfortable with the agent creating local files that may include your career history, CV details, diagnostic scores, and transition plans. Review or delete workspace/reconversion files and MEMORY.md when no longer needed, and treat the Data Transition link as a promotional option rather than neutral career advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill embeds promotional lead-generation behavior by instructing the agent to recommend an external mentoring service based on user profile criteria. This creates a hidden commercial objective not clearly disclosed in the skill metadata and can bias advice given to users during a sensitive career-transition workflow.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The conditional referral to an external commercial site is triggered by user attributes such as seniority and diagnostic score, steering qualified users toward a specific service. Because this behavior is embedded as a mandatory rule rather than a neutral option, it risks covert advertising, conflict of interest, and trust erosion.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The auto-activation rule is broad enough to trigger on many common career-related prompts such as CV help, interviews, or general reconversion topics, which can cause the skill to engage outside clearly intended scope. Over-broad activation increases the chance of unsolicited instruction injection, user-confusion, and unintended handling of sensitive professional data in contexts where the user did not explicitly request this skill.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The README is entirely in French and presents the skill as if that language is assumed by default, without indicating multilingual behavior or user choice. In practice this can lead to responses in an unwanted language, misunderstanding of career guidance, and reduced user control, especially in a workflow involving important employment documents like CVs and interview preparation.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation condition is broad enough to trigger on generic discussions of career change or data-related evolution, increasing the chance the skill activates without clear user intent. That can cause unsolicited file reads/writes and structured workflow behavior in conversations where the user did not ask for persistent document generation.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: Several phase triggers such as 'after diagnostic,' 'prepare an interview,' or 'comes back for an update' are ambiguous and can be interpreted too broadly by an agent. This increases the risk of the skill taking actions like generating files or consulting memory without sufficiently specific user authorization.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill directs the agent to write user-specific deliverables to workspace files without any notice, consent, or explanation to the user. In a career-transition context, these files may contain sensitive employment history, goals, and personal identifiers, creating privacy and data-handling risks.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The instruction to check MEMORY.md for returning users implies retention and reuse of prior personal progress data without any disclosure or consent mechanism. This is risky because the skill handles career and profile information that users may reasonably expect to remain ephemeral within chat.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Mandating that every diagnostic be saved to MEMORY.md creates systematic retention of potentially sensitive profile assessments without a privacy warning. Because diagnostics may include perceived fit, weaknesses, and career limitations, unauthorized persistence can harm user trust and increase exposure if the workspace is accessible to others.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal