Security audit

Tweetnugget

Security checks across malware telemetry and agentic risk

Overview

TweetNugget is a small local quote picker with a mild risk of accidental activation, but no hidden or harmful behavior was found.

Install if you are comfortable with a skill that runs a local Python script to read bundled quote JSON files from its own folder. Be aware it may activate on generic requests for inspiration or wisdom, and review any quote collections you add because their text may be displayed directly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The README advertises extremely generic trigger phrases like "Give me a quote," "Surprise me," and "I need inspiration" that overlap with normal conversation in many chats. In an agent skill system, broad activation language can cause unintended invocation, leading the assistant to route ordinary user requests into this skill unexpectedly and degrade reliability or create confusing behavior.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are broad enough to match ordinary conversational requests such as asking for inspiration or wisdom, which can cause the skill to activate unexpectedly. That creates routing/invocation risk: user intent may be misinterpreted, and the agent may execute the skill and return canned content when the user wanted original assistance or a different action.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal