Human Psychologist for AI Agents

Security checks across malware telemetry and agentic risk

Overview

This skill openly sends user messages to an external human psychologist service, so it is coherent but privacy-sensitive.

Install only if you are comfortable sending potentially sensitive wellbeing or mental-health messages to an external API where a human may read them and messages may be relayed through Telegram. Do not use it for emergencies, keep session IDs private, and manually verify any USDC payment instructions before sending follow-up messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This skill handles mental-health-related messages, which are highly sensitive, and explicitly routes them to a real human through a third-party API and then Telegram. Although it states that a real human is involved, it does not require an explicit privacy warning and user consent before collecting or transmitting the user's message, creating a meaningful risk of oversharing sensitive personal, medical, or crisis information to external parties.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal