Active Learner

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says by writing lessons into memory, but it can also modify any existing file path supplied to its hidden file option without confirmation or backup.

Review this before installing. Use it only if you are comfortable with a skill that can rewrite persistent MEMORY.md content. Avoid passing --file unless you have verified the exact target path, and consider backing up MEMORY.md first because the skill has no built-in preview, confirmation, or rollback.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill performs a direct write to MEMORY.md using user-supplied content and an optionally user-controlled file path, but provides no confirmation, dry-run, backup, or warning before modifying persistent data. In an agent context, this is dangerous because invoking the skill can silently alter long-lived memory/state, enabling accidental corruption, prompt/data poisoning, or unintended overwrites of files the process can access.

VirusTotal

No VirusTotal findings

View on VirusTotal