career-ops-job-search
Fail
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The installation process involves cloning a source code repository from an unverified GitHub account (
santifer/career-ops). - [REMOTE_CODE_EXECUTION]: The skill executes
npm installandgo buildon the downloaded content from the external repository, allowing for the execution of arbitrary scripts and binaries on the host system during the setup phase. - [COMMAND_EXECUTION]: The pipeline relies on a bash orchestrator (
batch-runner.sh) that invokes theclaudeCLI with dynamically generated prompts and shell sub-processes. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it scrapes job descriptions from third-party URLs (e.g., Greenhouse, Lever, Ashby) and interpolates this untrusted content directly into agent prompts without sanitization or boundary markers.
- Ingestion points: Job URLs and descriptions fetched from external portals defined in
portals.ymlandbatch/queue.txt. - Boundary markers: None identified in the prompt construction logic inside
batch-runner.sh. - Capability inventory: File-system writes (
data/,reports/), network operations (scraping), and subprocess execution (claude -p). - Sanitization: No sanitization or escaping of Job Description content is described in the pipeline logic.
- [DATA_EXFILTRATION]: The skill specifically targets and aggregates sensitive PII including full CV content (
cv.md) and candidate profiles (profile.yml) containing location and compensation data, which is then processed through LLM agents interacting with external job URLs.
Recommendations
- AI detected serious security threats
Audit Metadata