Back to skill

Security audit

Ai Daily Briefing

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent daily briefing helper, but it should be reviewed because broad trigger phrases can cause it to read sensitive task, meeting, memory, and calendar data without an explicit per-source confirmation.

Install only if you are comfortable with the agent summarizing local task lists, recent meeting notes, memory/context files, and calendar entries. Prefer explicit prompts like 'daily briefing,' avoid broad triggers for unrelated questions, and disable or avoid calendar and memory sources unless you intend them to be included.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad and conversational, including inputs like "what do I need to know?" and "give me the rundown," which can overlap with ordinary user requests unrelated to this skill. That can cause unintended activation and prompt the agent to read workspace files, meeting notes, memory files, or calendar data without the user clearly intending a briefing, creating a privacy and context-leak risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The public-facing description says the skill provides a morning briefing with "no setup" but does not disclose that it may read todo.md, meeting notes, memory files, and calendar data. This omission undermines informed consent and can surprise users into exposing sensitive personal or business context when they invoke a simple-sounding command like "briefing."

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.