Back to skill

Security audit

Job Search Agent

Security checks across malware telemetry and agentic risk

Overview

This job-search skill is not malicious, but it encourages automated bulk job applications without clear review, consent, or personal-data handling safeguards.

Install only if you plan to keep job applications under direct user control. Use it for searching, ranking, drafting, and tracking first; require a preview and explicit approval for every employer, role, resume, cover letter, and form answer before anything is submitted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises auto-apply behavior that can submit job applications on a user's behalf, affecting external accounts and sending personal information to third parties, but it provides no warning, consent model, or confirmation safeguard. In a job-search context this is especially risky because applications are externally visible, may be hard to retract, and can damage the user's reputation or misuse stored credentials/profile data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
CV matching and application support imply processing of resumes, employment history, skills, and possibly contact details, all of which are sensitive personal data, yet the skill provides no privacy, retention, sharing, or security notice. This omission increases the chance of unsafe handling or unexpected disclosure of user data to job boards or integrated services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The usage examples encourage bulk application submission such as applying to the top 10 jobs or all matching remote positions without warning that these are irreversible external actions. In this skill's context, mass submission can trigger spam-like behavior, submit inaccurate materials at scale, and harm the user's professional standing across multiple platforms.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.