automate applying to jobs with email

Security checks across malware telemetry and agentic risk

Overview

This job-application skill is not deceptive, but it needs review because it can automatically email employers with your CV and process sensitive inbox and tracker data with limited controls.

Install only if you are comfortable with an agent using Gmail to contact employers and possibly reply to recruiters on your behalf. Use a dedicated mailbox, keep manual approval on for every outgoing email, avoid storing main-account credentials, review WhatsApp notification behavior, and regularly inspect or delete Applications.json because it can contain sensitive job-search history and interview details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The README advertises a WhatsApp approval and daily-digest workflow that expands the skill's apparent operational surface beyond its core email-application behavior. Undocumented or mismatched channels can cause users or orchestration systems to grant broader permissions than expected, increasing the risk of unreviewed data sharing and actions through an external messaging platform.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The trigger phrase "show tracker" is broad and plausible in ordinary conversation, which increases the chance of accidental activation. In a skill that can expose application history and potentially chain into other job-application actions, ambiguous invocation boundaries create a real risk of unintended disclosure or workflow execution.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The usage examples do not define when the skill should activate versus when similar natural language should be ignored. Because this skill can search, compose, send emails, and update a tracker, weak activation boundaries raise the likelihood of accidental triggering and unintended outbound actions or state changes.

Missing User Warnings

High

Confidence: 93% confidence
Finding: The README describes an auto mode where, after initial approval, the agent sends application emails immediately, but it does not prominently warn about autonomous outbound communication. In a skill handling personalized emails, attachments, and employer contact, this can lead to reputational damage, privacy leaks, and mass unintended submissions if the scoring or parsing logic is wrong.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The manifest description includes broad trigger phrases like 'apply to jobs', 'find jobs', 'job search', 'check tracker', and 'check inbox for job replies', which could match ordinary user requests and cause the skill to activate in situations where the user did not intend autonomous email, inbox, or tracking actions. In this skill, that risk is amplified because activation can lead to outbound email sending, inbox processing, and persistence of sensitive personal data.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly states that after the first 3 approvals, 'emails send immediately,' enabling autonomous outbound communication without a clear per-action user warning or consent checkpoint. In a job-application context, this can result in unintended applications, reputational harm, disclosure of personal data and CV contents to third parties, and spam-like behavior at scale.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The workflow instructs the agent to 'Process replies: interview requests, rejections, spam' but does not provide an explicit privacy warning that the skill will access and analyze inbox contents. Email inboxes commonly contain sensitive personal, professional, and third-party information, so silent processing materially increases privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill stores application activity in `Applications.json` and instructs the user to maintain profile and personal data in local reference files, but it does not clearly warn users that sensitive employment history, contact details, targets, and application records will be persisted locally. This creates confidentiality and integrity risks, especially on shared machines or in synced directories.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The tracker schema instructs the agent to persist sensitive personal and quasi-sensitive data such as recruiter email addresses, interview dates/times, interview links, and application history, but it provides no minimization, retention, access-control, or user-consent guidance. In a job-application automation skill, centralizing this data in a JSON file increases privacy and security risk if the file is exposed, mishandled, synced insecurely, or later repurposed beyond the user's expectations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The template explicitly states the agent will automatically send interview-scheduling replies when processing the inbox, but there is no indication of a confirmation step, preview, or user-facing warning before outbound email is sent. In a skill that has Gmail sending capability and processes inbound recruiter messages, this creates a real risk of unauthorized or incorrect external communication, including committing the user to interviews or leaking availability without explicit approval.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal