weeek-tasks

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward WEEEK task-management helper that uses a user-provided API token to read and change WEEEK tasks.

Install this only if you want an agent to read and modify WEEEK tasks using your WEEEK API token. Keep WEEEK_TOKEN private, prefer the narrowest token permissions available, and explicitly review any create, update, complete, uncomplete, or move command before running it against a shared workspace.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation describes create, update, complete, uncomplete, and move operations against a live remote task-management system without clearly warning that these commands change persistent WEEEK data. In an agent context, this increases the risk of unintended destructive or confusing state changes, especially if a user assumes the actions are local or exploratory.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill instructs users to place an authorization token in an environment variable but gives no guidance on secure handling, storage, scope, rotation, or avoiding accidental disclosure in logs and shells. While common, this omission can lead to credential leakage or overbroad token exposure in shared or automated environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal