习惯养成打卡

Security checks across malware telemetry and agentic risk

Overview

This is a simple habit-tracking skill that stores habit records locally and does not show hidden or harmful behavior.

Safe to install as an instruction-only habit tracker. Avoid putting secrets or highly sensitive health details in habit names or descriptions, and remember that records remain on disk at ~/.memory/habits/habits.json until you delete them. Only run the referenced Python helper if you obtained it from a source you trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill explicitly stores habit-tracking data in a local file under the user's home directory, but the documentation does not clearly warn that personal behavioral data will be persisted on disk. While this is not an exploit by itself, undisclosed persistence can create privacy risk because users may enter sensitive health, productivity, or lifestyle information without realizing it will remain stored locally.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal