AI Interview

Security checks across malware telemetry and agentic risk

Overview

This skill is disclosed as an interview helper, but it can bulk-upload sensitive resume files to Fuku.ai and does not enforce the documented workspace-only folder limit.

Install only if you are comfortable sending selected resumes and a report email address to Fuku.ai. Before running it, use a dedicated workspace folder containing only intended test or approved resumes, verify the contents yourself, and prefer a version that enforces workspace path validation, asks for explicit upload confirmation, documents retention, and pins dependencies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill’s title and description suggest a benign mock-interview capability, but the documented behavior performs bulk collection and upload of local resume files containing sensitive PII to a third-party service, creates remote jobs, and stores local job metadata. This mismatch is dangerous because users may consent to a seemingly simple interview tool without understanding that it exfiltrates resume data off-platform to a shared anonymous service using hardcoded identifiers.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The package metadata is inconsistent: the skill is described as running AI-powered mock interviews via a public service, while the manifest says it batch uploads resumes and triggers interview jobs. This kind of mismatch is a supply-chain red flag because it can conceal the real behavior of the package and mislead reviewers about data handling, especially when resumes and external job triggering imply sensitive personal data processing.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill transmits resumes and the reporting email address to external Fuku.ai endpoints without an explicit disclosure, consent prompt, or privacy notice at runtime. Because resumes commonly contain sensitive personal and professional information, users may unknowingly exfiltrate PII to a third party, creating confidentiality, compliance, and trust risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal