Learning-Forge

Security checks across malware telemetry and agentic risk

Overview

The skill appears useful, but its very broad triggers and local note-saving behavior need review before installation.

Review the skill's storage paths and disable or avoid persistence unless you want it to save notes, snippets, glossary terms, and progress across sessions. Be cautious using it with confidential code, business plans, client data, or personal notes until the skill offers clear opt-in, inspect, export, and delete controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The activation criteria are extremely broad and match common help-seeking phrases such as 'What is', 'How do I', and 'Help me understand', which can cause the skill to trigger in many unrelated contexts. That increases the chance of unintended routing into a skill that performs research, scaffolding, and persistence behaviors, expanding its operational surface without clear user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly stores snippets, journal entries, glossary terms, and progress in local files under the user's home directory, but does not present a prominent upfront disclosure or consent flow before retention begins. This creates a privacy and data-handling risk because users may provide code, notes, or project details without realizing they will persist across sessions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal