Wilma Triage

Security checks across malware telemetry and agentic risk

Overview

This is a clearly described Wilma school-notification triage skill that reads sensitive school data and syncs selected school events to Google Calendar for its stated purpose.

Install only if you are comfortable letting the agent read Wilma school records, summarize sensitive lesson notes or absences in chat, and add or remove school-related events in a Google Calendar. Use a dedicated school calendar if possible, review MEMORY.md and TOOLS.md periodically, and make sure you trust the separate `wilma` and `gog` tools before connecting credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill handles sensitive school information about children and also writes data to an external Google Calendar, but it does not prominently warn the user about these privacy and external-data effects at the point of use. This can lead to users invoking the skill without informed consent about what data is accessed, surfaced in chat, and synced to third-party services.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal