Toggle

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for work-activity analytics, but it asks for persistent background collection and broad use of sensitive activity history in ways users should review carefully.

Install only if you are comfortable letting the skill retrieve and locally persist detailed work-activity history, potentially run scheduled syncs, and use that history for proactive suggestions or cross-context briefings. Before enabling cron/background sync or calendar/other-skill correlation, confirm what data is stored, where it is written, how to delete it, and how to turn the behavior off.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill claims to return raw context data, but the documented behavior expands into predictions, nudges, automation proposals, and cross-skill orchestration. This broadens the trust boundary from passive retrieval to behavior-shaping and workflow control, increasing privacy and safety risk beyond what a user would reasonably infer from the manifest.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill instructs the agent to inspect and create cron jobs for ongoing background collection, which is a privileged operational action not inherent to reading work-activity data. Background syncing can silently expand surveillance, increase retention, and create persistent side effects on the host environment.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill directs the agent to inspect other installed skills and combine Toggle history with calendar data for proactive briefings and predictions. Cross-skill data fusion increases privacy exposure and can reveal sensitive behavioral inferences unrelated to the original purpose of retrieving activity history.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill goes beyond fetching Toggle activity and performs local control-plane logic by inspecting cron state and gating execution on local scheduler configuration. That expands its access to unrelated local operational metadata and gives the skill authority over user workflow behavior that is not justified by its stated purpose, increasing privacy and attack surface risk.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Reading ~/.openclaw/cron/jobs.json lets the skill inspect local scheduler metadata unrelated to answering activity/context questions. Even if only used for guidance, this exposes local system state and can reveal job names, schedules, and failure details that are outside the declared function of the skill.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The code creates and interprets a local state.yaml file that controls whether cron checks are enforced, introducing persistent local state and behavioral control outside the skill's advertised analytics role. This broadens the skill from passive data retrieval into local configuration management, which can surprise users and create opportunities for unauthorized persistence or policy bypass.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The activation guidance is extremely broad ('anything work-related'), making accidental invocation likely on ordinary conversations. Because the skill can fetch remote behavioral data, persist it, and act proactively, overbroad triggering increases the chance of unnecessary collection and disclosure.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The proactive trigger language ('do not wait for the user to ask') lacks clear constraints on when the skill should intervene. In a skill built around detailed activity monitoring, ambiguous proactive behavior can lead to excessive unsolicited surveillance-based prompts and disclosures.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill description emphasizes convenience and proactive intelligence but does not clearly warn users that it may monitor broad work activity, persist detailed history, and intervene based on inferred behavior. That weakens meaningful consent for a highly sensitive behavioral-monitoring capability.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to persist raw activity data into memory files across interactions, enabling long-term behavioral profiling. Because the source data includes detailed workflow descriptions, domains, tasks, and timing, persistence materially increases privacy risk if exposed, misused, or repurposed beyond the original request.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The state file design records ongoing behavioral metadata such as dismissed projects, prediction outcomes, and prior errors, creating a durable profile of user habits and preferences. This kind of longitudinal logging can be sensitive, especially when combined with activity timelines and predictive features.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The skill proactively cross-references persisted work history with meeting context to generate briefings, which amplifies sensitivity through contextual inference. Even if each data source is individually legitimate, combining them can expose private projects, habits, or work topics at moments when the user did not explicitly request disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal