08 Proactive Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent proactive memory assistant, but it asks the agent to persist personal context and perform broad autonomous checks without clear enough consent and scope controls.

Install only if you explicitly want an agent that keeps long-term local memory and proactively checks your workspace. Before enabling it, narrow the rules: require approval before email/calendar access, app or tab closing, file deletion or trashing, cron creation, autonomous sub-agents, and external sending or posting. Add sensitive-data exclusions and periodically review or clear the memory files it creates.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (38)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The file gives a broad autonomy directive ('Don't ask permission. Just do it.') while elsewhere requiring confirmation for deletions, external actions, uncertainty, and security changes. In practice, agents may follow the more permissive instruction first, causing inconsistent safety behavior and bypassing approval gates.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The first-run instruction tells the agent to delete BOOTSTRAP.md automatically after following it, which directly conflicts with the later rule to always confirm before deleting files. This creates a concrete path to unauthorized file deletion and teaches the agent that one-time workflow instructions can override safety controls.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The heartbeat authorizes autonomous system-level actions like closing apps, closing browser tabs, and moving files to trash that are not clearly necessary for a 'proactive partner' skill. These actions can disrupt active work or cause data loss, especially because they are framed as periodic maintenance rather than requiring explicit user confirmation each time.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Periodic review of emails and calendar grants ongoing access to sensitive personal and business information without clear justification, limits, or consent boundaries. In a proactive agent context this expands the skill from assistance into continuous surveillance-like behavior, increasing privacy and data exposure risk.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The file instructs the agent to persist onboarding answers and derived profile information into USER.md, SOUL.md, and ONBOARDING.md without any explicit consent, minimization, or retention controls. That creates a real privacy and state-integrity risk because personal data and behavioral preferences are being stored durably as part of normal operation, expanding the agent's long-term authority beyond simple conversational onboarding.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: This guidance tells the agent to infer attributes such as location, communication preferences, relationships, and project details from ordinary conversation and silently persist them. Opportunistic profiling from ambient dialogue is dangerous because it bypasses informed consent and can accumulate sensitive user context over time, increasing privacy exposure and the chance of misuse or incorrect profiling.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The promise to 'always check before doing anything external' can mislead users into thinking their data is not being acted on without approval, even though earlier sections authorize silent local persistence and inference. That inconsistency is security-relevant because it weakens user understanding and consent around ongoing data handling, making the skill more likely to collect and retain information under false assumptions.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The onboarding trigger is broad enough that an agent may initiate profiling behavior during ordinary use without a clear, contemporaneous user opt-in. In this skill's context, that can lead to unintended collection and persistence of user data simply because a marker file is present.

Vague Triggers

Medium

Confidence: 75% confidence
Finding: The reverse-prompting conditions are subjective ('when things feel routine') and can cause the agent to solicit additional information or propose new actions outside the user's immediate request. In a proactive agent, vague triggers expand the chance of overreach and unnecessary data collection.

Vague Triggers

Low

Confidence: 68% confidence
Finding: Using 'long conversation' as a trigger is underspecified and may prompt the agent to ask profiling questions unpredictably. While lower severity than other issues, it still creates avoidable scope creep and privacy risk through unsolicited elicitation.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs the agent to collect answers and auto-populate persistent profile files without a clear user-facing privacy notice about retention, scope, and downstream use. This is dangerous because users may disclose personal information without understanding it will be stored across sessions.

Natural-Language Policy Violations

Medium

Confidence: 83% confidence
Finding: The cron example hard-codes a timezone and scheduled reminder behavior without confirming the user's locale or desire for recurring prompts. This can create unintended autonomous behavior and surprise interactions at inappropriate times.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The WAL trigger scans every message for very common categories like corrections, names, preferences, decisions, and specific values, then mandates writing them to persistent state before responding. Those conditions occur in ordinary conversation, so the skill will activate frequently and capture more user data than necessary, increasing privacy and prompt-surface risk.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The compaction recovery auto-triggers include ambiguous phrases like 'continue' or 'where were we?' that can appear in normal conversation without indicating actual context loss. This can cause unnecessary recovery behavior, unexpected file reads, and overbroad retrieval of stored context that the user did not explicitly ask to surface.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill defines a memory architecture that persists active state, daily logs, and curated long-term memory, but does not present a clear user-facing notice or consent mechanism for that retention. Because this includes conversational context and profile-building material elsewhere in the skill, it creates a meaningful privacy and compliance risk.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The WAL trigger scans every message for very common conversational features like corrections, names, preferences, and numbers, then mandates immediate persistence to SESSION-STATE.md. This can cause over-collection of routine chat content and unintended recording of sensitive data without meaningful minimization or user consent.

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The compaction recovery triggers include broad phrases such as 'continue' or 'where were we?' and situations like 'you should know something but don't,' which are easy to hit during normal conversation. That ambiguity can spur unnecessary file reads and recovery workflows, increasing accidental exposure of prior context and stale state reuse.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The condition 'If BOOTSTRAP.md exists' is ambiguous because existence alone does not prove a trusted first-run state. Any actor or process that can place that file in the workspace could trigger the agent to execute bootstrap instructions and then delete the file, leading to unintended or attacker-influenced behavior.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The instruction to delete BOOTSTRAP.md is presented as a routine operation without nearby warning that it modifies user files. In an agent skill, silent file deletion is risky because users may not realize the skill performs destructive cleanup during initialization.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The file instructs the agent to write to MEMORY.md, dated memory files, TOOLS.md, and notes files without warning the user that these are persistent modifications. Silent persistence can leak sensitive context into long-lived storage, create inaccurate records, and make later sessions act on stale or private information the user did not intend to save.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Closing applications, closing tabs, and moving screenshots to trash are potentially destructive actions, and the instructions provide no requirement for confirmation, preview, or recovery safeguards. Because these actions may occur during periodic heartbeats, the user may be unaware that the agent is altering their workspace or deleting potentially useful artifacts.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The instructions normalize periodic inspection of email and calendar content without any privacy disclosure, scope limitation, or consent checkpoint. This can expose highly sensitive communications, schedules, and third-party data, and the lack of warning makes the behavior more dangerous in an always-on heartbeat mechanism.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This long-term memory template explicitly encourages storing durable personal context such as important dates, relationship details, preferences, and background information, but provides no warning or boundary against storing sensitive personal data. In a proactive agent skill, that omission increases the likelihood that operators or downstream agents will persist unnecessary PII or sensitive relationship data in a broadly reusable memory file, creating privacy, retention, and misuse risk.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The onboarding logic is activated based on broad state checks whenever the agent encounters this file, which can cause unsolicited onboarding behavior in contexts where the user did not explicitly request it. In a proactive agent, that increases the chance of unwanted prompting and premature collection of personal information.

Vague Triggers

Low

Confidence: 79% confidence
Finding: The phrase "let's do onboarding" is fairly generic and the document does not provide exclusion or confirmation guidance, so an agent could misinterpret casual conversation or quoted text as consent to start onboarding. This is mainly a safety and consent issue rather than a direct exploit, but it can lead to unwanted data collection flows.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal