Back to skill

Security audit

Ai Daily Briefing

Security checks across malware telemetry and agentic risk

Overview

This daily-briefing skill appears useful, but it may read private workspace and calendar information from broad prompts without clear upfront consent.

Review this skill carefully before installing. It should only be used if you are comfortable with it reading local todos, meeting notes, memory files, and calendar data to produce briefings. Prefer explicit invocation, first-run confirmation, and source controls that let you disable calendar, notes, or memory access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad conversational prompts like "start my day," "what do I need to know?" and "give me the rundown," which can match ordinary user intent outside a deliberate invocation of this skill. That creates unintended activation risk, causing the agent to read and summarize local files or calendar data when the user did not explicitly consent to this skill's data access path.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to inspect `todo.md`, `meeting-notes/`, memory files, and calendar data, but the user-facing description does not clearly warn that potentially sensitive workspace and personal scheduling information will be accessed. This weakens informed consent and can lead to over-collection or unexpected disclosure of private content in the generated briefing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.