Back to skill

Security audit

IceCube Heartbeat

Security checks across malware telemetry and agentic risk

Overview

This markdown-only skill is not malware, but it asks an agent to perform recurring background work that can change repositories, memory, and installed skills without clear user approval.

Install only if you are comfortable with scheduled autonomous maintenance. Keep heartbeat behavior read-only by default, disable automatic commits, pushes, skill installs, and memory promotion unless each action is explicitly approved, and separately opt in to any email, calendar, weather, or API checks with narrow scopes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill expands a maintenance heartbeat into proactive monitoring of email, calendar, and weather, which are unrelated to the core self-check purpose and may expose sensitive user context. Because these checks occur during idle polls, they normalize background access to private data without clear necessity, consent boundaries, or minimization controls.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Allowing the agent to commit and push changes or install new skills during heartbeat grants autonomous system-modifying capabilities far beyond passive maintenance. This creates a pathway for unintended code changes, supply-chain exposure, and persistence of bad decisions without contemporaneous user review.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest describes proactive maintenance, but the body authorizes broad project operations and software changes under the vague banner of heartbeat work. This mismatch is dangerous because operators may enable the skill expecting harmless checks while actually granting authority to alter repos, documentation, memory, and installed capabilities.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill labels system-modifying actions as 'safe to do during heartbeat' and 'without asking,' but provides no warning that these actions can alter code, repositories, or the agent's installed capabilities. Presenting such behavior as routine background maintenance increases the risk that users unknowingly authorize impactful changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages background access to email, calendar, and weather-derived personal context without a clear privacy disclosure or consent model. Even if intended as helpful outreach, this can lead to silent collection or surfacing of sensitive information outside user expectations.

Ssd 3

Medium
Confidence
91% confidence
Finding
The heartbeat is instructed to monitor and proactively surface potentially sensitive data from email, calendar, and contextual signals about the user's activities. Continuous background review of such sources increases privacy risk and may reveal personal or confidential information in unsolicited notifications.

Ssd 3

Medium
Confidence
88% confidence
Finding
The workflow instructs the agent to scan logs, detect user corrections, and promote information into long-term memory files, creating a mechanism for persistent retention of user-provided data. Without explicit rules on consent, minimization, and retention, this can store sensitive or unnecessary information beyond the user's expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.