TribuRuby Training Agent

Security checks across malware telemetry and agentic risk

Overview

This instruction-only TribuRuby skill uses a declared API key to view training and tribe activity and can submit check-ins, with no hidden code or unrelated behavior found.

Before installing, be comfortable giving the agent a TribuRuby API key that can view your training context and tribe member activity. Review ritual, quantity, protocol, and date before allowing it to submit a check-in.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly instructs the agent to fetch and show tribe activity, including other members, weekly activity, streaks, and today's check-ins, but the description and workflow do not warn users that data about other people will be accessed and displayed. This creates a privacy/transparency issue: users may invoke the skill expecting only self-tracking, while the agent retrieves third-party activity data that can be sensitive in a health, habits, or community context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal