make a recipe

Security checks across malware telemetry and agentic risk

Overview

This is a simple Pomodoro timer skill whose local notification and optional session logging behavior fit its stated purpose.

Before installing, note that using the logging command will create or update ~/pomodoro.log with Pomodoro session timestamps, and the notification command is intended for macOS.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Description-Behavior Mismatch

Low

Confidence: 95% confidence
Finding: The skill description presents a terminal timer, but the documented behavior also persists session data to ~/pomodoro.log. This creates an undeclared side effect on the user's filesystem, which is risky because users may not expect a simple timer skill to write permanent data.

Context-Inappropriate Capability

Low

Confidence: 93% confidence
Finding: Appending to a persistent file in the user's home directory is a real capability beyond the core timer function and is not justified or scoped by user confirmation. Even though the content written is low sensitivity, unsolicited file modification violates least surprise and can be abused as a pattern for stealthy persistence or cluttering user files.

Missing User Warnings

Low

Confidence: 97% confidence
Finding: The command appends to ~/pomodoro.log without any warning that persistent user data will be modified. In this skill context, logging pomodoro sessions is not inherently dangerous, but undocumented persistent writes reduce transparency and user control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal