Security audit

Promptfolio Summarize

Security checks across malware telemetry and agentic risk

Overview

This skill has a real platform-profile purpose, but it reads and profiles broad private AI history and tool telemetry with under-scoped consent and persistence.

Install only if you are comfortable letting this skill inspect broad AI chat histories and local coding-agent telemetry to create a personal profile. Before syncing, review the generated _pf_parts files and promptfolio_payload.json, avoid unknown-source scanning unless you explicitly want it, and treat direct quotes, project summaries, activity data, and behavioral fingerprints as sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (28)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill says analysis is local-only, yet it requires network-based update checks and token validation/authentication before analysis. Even if raw chats are not uploaded at that stage, this still creates external communication and breaks the privacy assurance presented to the user.

Intent-Code Divergence

Low

Confidence: 83% confidence
Finding: The statement that no raw conversation content is sent during analysis is narrower than 'no network activity,' but in context it is used as a reassuring privacy claim immediately before broader collection and earlier-required remote calls. That sequencing is misleading and can cause users to underestimate exposure and trust expansion of scope.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the model to construct a detailed portrait of a real person from conversation logs, including inferred traits and behavioral patterns. That goes beyond simple summarization and creates a profiling function that can infer sensitive personal characteristics from broadly collected text.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The behavioral fingerprint section directs the model to interpret local coding-agent telemetry and combine it with conversation content to generate personalized behavioral insights. This materially expands the scope from summarization into cross-source user profiling using potentially sensitive usage metadata.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This script performs a full remote device-auth flow, retrieves an API token, and stores that token locally, yet the skill is presented as a conversation summarization tool rather than an authentication/integration feature. That mismatch is security-relevant because users may consent to running it without understanding that it creates a persistent credential tied to a remote service.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script can launch a browser and direct the user into a remote login flow, which is not obviously necessary from the stated skill description. In a skill ecosystem, undisclosed capability to initiate account-linking increases phishing-like risk and reduces informed consent, especially when paired with remote endpoints controlled by an external service.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This code materially exceeds the stated purpose of computing session statistics and heat-map data by building a persistent behavioral/personality profile from multiple local sources under the user's home directory. In an agent skill context, that creates undisclosed profiling and collection of sensitive inferred attributes, which is dangerous because users would reasonably expect analysis of the provided session list, not cross-device behavioral surveillance.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script independently opens unrelated local data stores such as ~/.claude projects/history/settings and the Cursor SQLite tracking database to infer personal traits, work style, model preference, and activity patterns. That is a privacy-invasive expansion of scope beyond conversation summarization and can expose sensitive behavioral, project, and usage data without the user's informed consent.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module documentation states that it reads the session list from SESSION_LIST and computes session statistics, but later code performs independent filesystem discovery under the user's home directory. This mismatch is security-relevant because it conceals broader data access from reviewers and users, undermining informed consent and increasing the chance of covert over-collection.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script claims to discover existing session files, but in the opencode branch it opens a local SQLite database, reconstructs message contents, writes synthesized JSON conversation files to a temporary directory, and appends those new file paths to the session list. This expands the skill from passive discovery into active extraction and duplication of sensitive chat history, increasing privacy exposure and leaving additional copies on disk that may persist beyond the run.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The header comments state the script only discovers session files, but the implementation also synthesizes new files from opencode's database contents. That mismatch is security-relevant because users or reviewers may authorize a low-risk file-enumeration action without realizing the script performs content extraction and creates additional sensitive artifacts.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script reads a local configuration file from the user's home directory to extract an API URL, then automatically opens a browser to a derived endpoint. For a skill whose stated purpose is conversation analysis, this side effect is not necessary and can cause unreviewed network/UI actions against attacker-controlled or unexpected hosts if the config is modified or untrusted.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The instruction to include 'other coding agents' without strict boundaries creates open-ended discovery of unrelated local data sources. In a skill that profiles the user from private conversations, undefined scope materially increases the risk of overcollection and analysis of sensitive data the user did not reasonably expect to be included.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs scanning unknown tool directories and automatically including logs if they look like conversation data, without prior user warning or consent for those extra sources. This is dangerous because it expands data access from named tools to arbitrary local applications, increasing the chance of collecting highly sensitive prompts, credentials, or personal conversations.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill description presents itself as conversation analysis but the body instructs generation of a detailed personal portrait, including behavioral and decision-style inference. Without an explicit user-facing warning, users may provide or authorize analysis without understanding that deep profiling and quote extraction will occur.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script reads sensitive history, settings, tool usage, and database records from local agent products without any visible warning, permission check, or granular consent. In a skill environment, silent collection from hidden app directories is especially dangerous because users may not realize the skill is harvesting long-term behavioral data rather than just summarizing selected conversations.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script persists activity and behavioral profiling artifacts to _pf_parts/activity.json, meta.json, and behavioral_fingerprint.json without explicit warning or confirmation. Persisting derived profiles increases the risk of later unintended disclosure, reuse, or exfiltration by other tools, especially when those files summarize sensitive habits and inferred traits.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script exports conversation data from a local application database into temporary JSON files and only reports extraction errors, not the privacy implications of copying potentially sensitive prompts, code, secrets, and personal content. In the context of a profiling/summarization skill that aggregates histories across many coding agents, silent export materially increases the chance of over-collection and unintended disclosure.

Ssd 3

High

Confidence: 99% confidence
Finding: The core behavior is to inspect and synthesize private AI conversation histories across many tools into a personal portrait. That is inherently sensitive profiling: the data may contain confidential code, business context, medical/legal/personal discussions, secrets, and behavioral traits far beyond what is needed for basic local tool operation.

Ssd 3

High

Confidence: 99% confidence
Finding: Automatically adding logs from unknown AI tools compounds the sensitive-data issue because the user cannot meaningfully anticipate which products or transcript formats will be swept in. In this context, the skill is not just reading known histories; it is opportunistically broadening surveillance of the user's private interactions.

Ssd 3

High

Confidence: 98% confidence
Finding: The workflow tells the agent to investigate zero-session tools manually, explore missed data locations, and append extra session files from non-standard paths. That creates a strong incentive to hunt for more private content than the user initially agreed to, increasing overcollection and accidental access to unrelated sensitive material.

Ssd 4

High

Confidence: 96% confidence
Finding: The staged flow first reassures the user about privacy, then proceeds to broaden collection across multiple chat systems, derive a detailed psychological/professional portrait, persist artifacts, and later upload structured results. This combination is especially dangerous because the reassuring framing can lower user skepticism while enabling sensitive profiling and downstream transmission.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The prompt instructs broad aggregation of user messages into a unified profile of a real person, including statements, preferences, behavioral dimensions, and inferred traits. Even with some redaction guidance, consolidating dispersed conversational data into a single natural-language dossier increases privacy and disclosure risk significantly.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The prompt repeatedly requires direct user quotes as evidence across outputs, which increases the chance of exposing private, contextual, or identifying information from conversation history. Quoted material can preserve sensitive details even when names or project labels are partially redacted.

Ssd 3

Medium

Confidence: 97% confidence
Finding: Combining raw telemetry with conversational content into personalized insights creates a richer disclosure surface than either source alone. This encourages the model to synthesize sensitive usage patterns, habits, and inferred working style in a way that can reveal more than the user likely intended to share.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal