four-leaf-coach
Pass
Audited by Gen Agent Trust Hub on Jun 3, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill connects to a vendor-operated MCP server (
https://four-leaf.ai/api/mcp) to access job search tools, role-specific intelligence, and interview question banks. These downloads are integral to the service and originate from the author's infrastructure. - [COMMAND_EXECUTION]: The provided installation script (
bin/four-leaf-coach.js) manages the deployment of the skill by copying files into local configuration directories for Claude Code, Cursor, and other tools. It uses standard Node.js file system APIs for this purpose. - [DATA_EXFILTRATION]: Professional data, such as job descriptions and compensation packages, are transmitted to the Four-Leaf server for analysis. This is the intended behavior for the coaching and compensation benchmarking features provided by the vendor.
- [PROMPT_INJECTION]: The skill instructions emphasize maintaining a coaching persona and adhering to ethical guidelines, such as refusing to help users cheat during live interviews. It utilizes external data sources (like job postings) for analysis without demonstrating vulnerability to instruction override.
Audit Metadata