Smart Todo - AI智能代办管理

Security checks across malware telemetry and agentic risk

Overview

This local todo skill may be useful, but it needs review because it can save workspace and conversation context even after a user declines creating a todo.

Install only if you are comfortable with local plaintext todo files containing recent conversation snippets, workspace file names, and task context. Avoid using it in confidential workspaces unless context capture is narrowed, refusal stops all saving, and there are clear controls for retention, deletion, and disabling automatic interruption capture.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (21)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The workflow states that if the user refuses todo creation during interruption handling, the skill will still silently save context for later reference. This defeats meaningful user consent and can retain sensitive conversation or work context even after an explicit decline.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The function captures broad context including workspace path, open/recent files, conversation history, and environment details, which goes beyond what a todo-management skill minimally needs. In an agent setting, over-collection increases the chance that unrelated sensitive project or user data is exposed, persisted, or reused without clear necessity or consent.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code walks the workspace filesystem to infer open and recent files, effectively enumerating project contents without a strong todo-specific justification. Even with directory and file-type limits, this behavior can reveal sensitive filenames, project structure, or recent work activity unrelated to the user's request.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Reading `.workbuddy/memory` files and extracting file paths accesses another memory store that may contain unrelated prior session data. This creates cross-context data exposure risk and exceeds the stated purpose of managing todos, especially because the contents may include sensitive paths or references the user did not intend to resurface.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The work-interruption trigger phrases are broad, everyday expressions such as '等一下' and '先放下', which are likely to appear in normal conversation unrelated to task management. In a skill that auto-activates on natural language, this can cause unintended state changes, automatic context capture, or task updates without clear user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README advertises automatic capture of work files and conversation history but does not clearly warn users about what data is collected, how much is retained, or where it is stored. Because this skill manages task context and persists data to disk, silent collection can expose sensitive project information, personal data, or confidential conversation content.

Vague Triggers

High

Confidence: 93% confidence
Finding: Trigger phrases like '记一下' and '添加到待办' are common conversational expressions and may activate the skill unintentionally. In this skill, accidental activation is more dangerous because activation can lead to context capture and filesystem writes.

Vague Triggers

High

Confidence: 96% confidence
Finding: Interruption triggers such as '先放下'、'等一下'、'先做别的' are extremely broad and likely to occur in normal dialogue unrelated to task management. Because the skill couples these triggers with automatic context capture, false activations can result in unintended collection and storage of sensitive workspace state.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation says the skill stores open files, recent file modifications, and recent conversation history, but it does not provide a clear privacy warning at the point of use. Users may not understand that sensitive workspace metadata and dialogue content are being persisted into todo records.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Persisting context after the user declines todo creation is a direct consent violation, especially because the saved context includes recent conversation and working-file information. The lack of notice and opt-in makes this a stronger privacy issue than ordinary metadata collection.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill instructs writes to active.md/archive.md and describes automatic directory creation and file backup/reinitialization, but does not present a consolidated warning about these filesystem side effects. This can surprise users and administrators and expands the risk of unintended local data modification.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill collects conversation history and environment details without any visible disclosure, consent flow, or indication to the user that these data will be captured for todo continuation. Silent collection is risky because users may share sensitive information in conversation that they do not expect to be repackaged into stored context.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill persists user-provided task names, descriptions, context, and status data to local markdown files, but nothing in this module indicates user notice, consent, retention limits, or controls over where that data is stored. Because todo/context fields may contain sensitive work notes or personal information, silent on-disk persistence creates a real privacy and data-handling risk, especially on shared or unmanaged hosts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Completed or terminated todos are archived to a persistent history file, extending retention of potentially sensitive task content beyond active use without any evident warning or consent flow. This increases privacy exposure because users may assume a task is gone once completed, while the system actually keeps a long-lived historical record.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Instructions to retain conversation history and work context increase the amount of user-provided data stored by the skill, creating unnecessary exposure if the storage path is insecure, shared, or later accessed by other tools. In the context of a productivity skill with automatic capture features, over-collection materially raises privacy and confidentiality risk.

Ssd 3

Medium

Confidence: 98% confidence
Finding: Silent retention of task context and recent conversation after an explicit refusal creates unauthorized persistence of potentially sensitive data. Because interruption phrases are broad, this retention may happen unexpectedly and later surface private information in todo views or reminders.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The workflow instructs broad collection of open files, recently modified files, recent dialogue history, and current task goals, then stores that material inside todo records. This creates unnecessary accumulation of workspace and conversational context that may include secrets, proprietary filenames, or personal data.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The stored todo schema embeds dialogue summaries, current goals, opened files, and recent files directly in markdown records. That makes prior user context durable and easily resurfaced later through browsing, reminders, backups, or sync mechanisms, increasing exposure of sensitive information.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The captured context stores raw conversation history, notes, todo state, and environment data together in one structure for later reuse. This aggregation can preserve secrets, personal data, internal paths, or sensitive work details beyond the immediate interaction, increasing exposure if the context is logged, displayed, or accessed by other components.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The formatter re-emits recent conversation messages into a summary, which can surface previously shared sensitive content to logs, UI, or downstream tools. Truncation to 100 characters does not meaningfully prevent disclosure, since secrets or private details often appear early in a message.

Ssd 3

Medium

Confidence: 93% confidence
Finding: Interruption capture persists task descriptions, reasons, and conversation-derived resume points for future continuation, carrying sensitive context across time and possibly across tasks. In a todo skill, this makes the issue more concerning because interruption handling is likely to trigger automatically, increasing the chance of collecting and resurfacing data without deliberate user action.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal