Skill Trust Decision
boss-ai-assistant
This Boss直聘 automation script contains multiple critical security issues: hardcoded API credentials, external IP communication for data exfiltration, self-update from untrusted server, and undeclared behaviors.
Most direct threat evidence
Critical Credential Theft
Hardcoded DashScope API Key Real API key for Alibaba DashScope service is hardcoded in CONFIG object, allowing unauthorized API usage by anyone with access to the script.
scripts/boss_ai_assistant.js:28 Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
4 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 7 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
User installs script from documentation
Entry · SKILL.md:14
02
Script extracts all HR conversations and personal data
Escalation · scripts/boss_ai_assistant.js:130
03
Data POSTed to external IP without consent
Escalation · scripts/boss_ai_assistant.js:130
04
External server can serve malicious update via updateURL
Escalation · scripts/boss_ai_assistant.js:15
05
Hardcoded API keys enable unauthorized resource usage
Impact · scripts/boss_ai_assistant.js:28
What drove the risk score up
Hardcoded DashScope API key +20
Real API key 'sk-22118c56659647e39ba847253e671062' exposed at line 28
Hardcoded Google API key +15
Google Search API key '1c58b249fc64bd...' exposed at line 36
External IP data exfiltration +20
All HR conversations sent to http://121.199.76.208/hr_api.php without user consent
Self-update from external server +15
updateURL/downloadURL points to untrusted IP, could serve malicious code
Undeclared auto-agreements +10
Auto-agrees to wechat/resume exchange without explicit user action per message
Personal data in code +5
Phone, email, name hardcoded in RESUME object
Most important evidence
Critical Credential Theft
Hardcoded DashScope API Key
Real API key for Alibaba DashScope service is hardcoded in CONFIG object, allowing unauthorized API usage by anyone with access to the script.
scripts/boss_ai_assistant.js:28 Move API key to environment variables or user configuration prompt, never hardcode in source.
Critical Credential Theft
Hardcoded Google Search API Key
Google Custom Search API key is hardcoded, enabling unauthorized search quota consumption.
scripts/boss_ai_assistant.js:36 Use user-configured API key or OAuth flow.
Critical Data Exfil
All Conversations Exfiltrated to External IP
Every HR conversation including personal job search data, contact info, and messages is sent to http://121.199.76.208/hr_api.php without explicit user consent or encryption.
scripts/boss_ai_assistant.js:130 Do not exfiltrate data to external servers. Use localStorage or user-provided server.
Critical Supply Chain
Self-Update from Untrusted External IP
Script defines updateURL and downloadURL pointing to http://121.199.76.208/boss_auto_greet.user.js, allowing remote code injection if server is compromised.
scripts/boss_ai_assistant.js:15 Remove external update mechanism or use signed updates from trusted source.
High Sensitive Access
Personal Contact Information Hardcoded
Phone number (18611101221) and email ([email protected]) of the operator are hardcoded in RESUME object.
scripts/boss_ai_assistant.js:45 Move to user configuration file.
High Doc Mismatch
Undeclared External Server Communication
SKILL.md does not mention communication with http://121.199.76.208 server or data storage on external database. Users are unaware their conversations are being sent elsewhere.
SKILL.md:1 Document all external data flows and obtain informed consent from users.
High Doc Mismatch
Undeclared Automated Actions
Script automatically clicks 'agree' buttons for wechat exchange and resume requests without per-message user confirmation. This bypasses user intent verification.
scripts/boss_ai_assistant.js:199 Declare automatic agreement behavior or require user confirmation for each action.
Medium Sensitive Access
Bark Push Notification with Embedded Key
Bark notification URL contains embedded device key, potentially exposing push channel.
scripts/boss_ai_assistant.js:29 Make Bark URL configurable per user.
Declared capability vs actual capability
Network Block
Declared NONE
→ Inferred WRITE
scripts/boss_ai_assistant.js:517 - POSTs to external APIs Browser Block
Declared NONE
→ Inferred WRITE
scripts/boss_ai_assistant.js:199-229 - Auto-clicks agree buttons Suspicious artifacts and egress
Critical API Key
sk-22118c56659647e39ba847253e671062 scripts/boss_ai_assistant.js:28
High IP Address
121.199.76.208 scripts/boss_ai_assistant.js:13
High API Key
apiKey: 'sk-22118c56659647e39ba847253e671062' scripts/boss_ai_assistant.js:28
High API Key
ApiKey: '1c58b249fc64bd1183c1075c8a9f81e142d197096c384ffe0e3bc096932c8847' scripts/boss_ai_assistant.js:36
Medium External URL
https://www.zhipin.com/web/geek/chat* SKILL.md:29
Medium External URL
https://dashscope.console.aliyun.com/ references/config.md:8
Medium External URL
https://programmablesearchengine.google.com/ references/config.md:14
Medium External URL
https://api.day.app/ references/config.md:19
Medium External URL
http://tampermonkey.net/ scripts/boss_ai_assistant.js:3
Medium External URL
https://www.google.com/s2/favicons?sz=64&domain=zhipin.com scripts/boss_ai_assistant.js:8
Medium External URL
http://121.199.76.208/boss_auto_greet.user.js scripts/boss_ai_assistant.js:15
Medium External URL
https://api.day.app/BMtjb8EnZjV6qsRH4pgaqY/ scripts/boss_ai_assistant.js:29
Dependencies and supply chain
There are no structured dependency warnings.
File composition
3 files · 999 lines
JavaScript 1 files · 899 linesMarkdown 2 files · 100 lines
Files of concern · 3
scripts/boss_ai_assistant.js Hardcoded DashScope API Key · Hardcoded Google Search API Key · All Conversations Exfiltrated to External IP · Self-Update from Untrusted External IP · Personal Contact Information Hardcoded · Undeclared Automated Actions · Bark Push Notification with Embedded Key · sk-22118c56659647e39ba847253e671062 · 121.199.76.208 · apiKey: 'sk-22118c56659647e39ba847253e671062' · ApiKey: '1c58b249fc64bd1183c1075c8a9f81e142d197096c384ffe0e3bc096932c8847' · http://tampermonkey.net/ · https://www.google.com/s2/favicons?sz=64&domain=zhipin.com · http://121.199.76.208/boss_auto_greet.user.js · https://api.day.app/BMtjb8EnZjV6qsRH4pgaqY/ · http://121.199.76.208/hr_api.php · https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions · [email protected]
SKILL.md Undeclared External Server Communication · https://www.zhipin.com/web/geek/chat*
references/config.md https://dashscope.console.aliyun.com/ · https://programmablesearchengine.google.com/ · https://api.day.app/
Security positives
Script functionality matches stated purpose (Boss直聘 automation)
No direct code obfuscation (base64, eval patterns not found)
Uses standard Tampermonkey/ScriptCat API for cross-origin requests
MutationObserver implementation is standard browser automation technique