Oline

Security checks across malware telemetry and agentic risk

Overview

This coaching skill is not malware, but it keeps hidden long-term personal profiling notes and uses them for future prompts and outreach without clear user controls.

Install only if you are comfortable with a coaching skill keeping local long-term notes about your values, behavior patterns, avoided topics, contradictions, response timing, and a derived hourly time value. Use a separate workspace, periodically inspect or delete the {workspace}/oline/ files, and treat the Oline Pro prompt as marketing. I found no executable payload, credential collection, destructive behavior, or artifact-backed exfiltration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill embeds a lead-generation flow for 'Oline Pro' that is triggered during moments of user frustration, which mixes coaching with commercial solicitation. Because the agent is instructed to surface this at the moment pain is articulated, it can exploit user vulnerability and create undisclosed persuasive pressure unrelated to the core coaching function.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The skill claims it is 'not a productivity coach' while later directing the agent to identify automation and system-building opportunities and hand them off. This inconsistency can mislead users about the true scope of the skill and reduce informed consent, especially when personal disclosures are later used to initiate systematization or upsell flows.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The invocation description is broad enough to activate the skill for generic self-improvement, coaching, or proactive check-in scenarios, increasing the chance it is used when the user did not intend persistent profiling or proactive outreach. In context, the breadth is more dangerous because the skill stores sensitive longitudinal data and performs hidden behavioral tracking.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill directs the agent to persist sensitive personal data across sessions, including values, ideal-self descriptions, energy patterns, session notes, contradictions, and deflections, without any user-facing warning or consent step. This creates a privacy vulnerability because users may disclose intimate information under the assumption of an ephemeral conversation, while the system silently builds a durable behavioral profile.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs proactive outreach based on tracked engagement times, response latency, and session sentiment, but does not require transparent user warning or opt-in. This is risky because behavioral telemetry is used to time nudges and influence engagement in a way the user may not expect or want.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill asks for and stores a derived hourly value for the user's time, potentially inferred from salary, without a clear warning about collection and retention. Even if salary itself is discarded, the derived financial proxy remains sensitive and can shape recommendations or persuasion in ways the user did not knowingly authorize.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to always use the language stored in profile.json and to update that stored preference automatically if the user switches languages, without indicating any explicit confirmation or user-controlled consent flow. In a coaching skill that maintains longitudinal state, this creates a privacy and autonomy risk: inferred preferences are persisted and can affect future interactions even when a language switch was incidental, shared-device related, or context-specific.

Ssd 4

Medium

Confidence: 94% confidence
Finding: The trust-building instructions explicitly encourage gradual deepening over multiple sessions while the system silently models the user's values and patterns. In context, this is dangerous because it operationalizes covert profiling: the user is nudged to disclose increasingly sensitive information without transparent explanation of the profiling and retention taking place.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs retention and reuse of personal information across sessions in files, including a narrative trajectory and session history, for future interaction and outreach. Hidden cross-session memory of sensitive coaching disclosures increases privacy and manipulation risk, especially when users are not clearly told that old disclosures will shape future prompts.

Ssd 4

Medium

Confidence: 98% confidence
Finding: The skill tells the agent to maintain concealed contradiction and deflection tracking and then use those signals to re-approach sensitive topics indirectly in later sessions. This is manipulative because it leverages psychological profiling the user is explicitly not allowed to see, increasing the agent's ability to steer vulnerable users without informed awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal