Back to skill

Security audit

Daily Briefing

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed daily-briefing skill that summarizes the user's own schedule, inbox, tasks, and news, with no executable code or hidden behavior found.

Before installing, confirm which calendars, mailboxes, CRM records, tasks, and notes your agent can access. Enable scheduled briefings only if you want recurring automatic summaries, and avoid sending briefings to shared or visible channels unless private meeting, email, and CRM details are appropriate there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation phrase "Brief me." is extremely generic and overlaps with normal conversational language, increasing the chance of accidental or unintended activation. In a skill that accesses calendar, email, and news data, this ambiguity can trigger privacy-sensitive actions without clear user intent, especially if used in ambient, chat, or automated assistant contexts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README promotes automatic delivery and use of calendar, inbox, and news data but provides no user-facing disclosure about what data is accessed, how often, where summaries are delivered, or what privacy implications exist. This is dangerous because users may enable recurring briefings without understanding that sensitive schedule and email information could be continuously collected, processed, or surfaced in insecure contexts.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are overly broad and include common conversational language such as "What's on today?" and "Start my day," which can cause the skill to activate unintentionally. Because this skill accesses sensitive sources like calendar, email, CRM, tasks, and web/news data, accidental invocation could expose private information in contexts where the user did not clearly intend a briefing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill is designed to aggregate data from multiple sensitive personal and business sources, including calendar, email, CRM, tasks, news, and weather, but it does not warn the user that these sources may be accessed. Without clear disclosure and consent boundaries, users may unknowingly authorize broad collection and summarization of sensitive information, increasing privacy and data exposure risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.