Proactive Agent 3.1.0

Security checks across malware telemetry and agentic risk

Overview

This skill is not overtly harmful, but it asks the agent to keep broad persistent memory and take proactive actions with controls that are too loose for safe default use.

Install only in a trusted, dedicated workspace and set explicit limits before enabling it: disable or review heartbeats and crons, require confirmation before reading email/calendar or closing/moving anything, restrict spawned agents and web/CLI use, and regularly inspect or delete USER.md, MEMORY.md, SESSION-STATE.md, and memory logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (46)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs adding a weekly cron job that sends a system event to trigger reverse prompting. This creates autonomous, scheduled behavior that can initiate interaction and data collection without a contemporaneous user request, increasing the risk of unsolicited actions and persistence beyond the user's expectations.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The skill explicitly encourages use of external capabilities beyond its declared scope, including browser, web search, CLI, and spawning agents. Even though framed as productivity guidance, this broadens operational behavior in ways that can trigger unreviewed external access and increase attack surface.

Context-Inappropriate Capability

Medium

Confidence: 77% confidence
Finding: The skill instructs agents to create weekly cron-job reminders, introducing autonomous scheduled behavior not clearly scoped in the manifest. Background or scheduled actions can operate without contemporaneous user review and may cause unexpected data access, notifications, or task execution.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The rule explicitly authorizes broad external capabilities such as web searching and checking calendars as routine behavior, even though the skill description does not narrowly justify those surveillance- or outreach-adjacent actions. In a proactive agent, this expands access to sensitive personal and external data sources without a clear task boundary, increasing the chance of overcollection, privacy violations, or unintended external interactions.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The heartbeat workflow instructs the agent to proactively inspect emails and calendars and decide when to reach out, which grants persistent monitoring behavior over sensitive communications and scheduling data. This is especially risky because it normalizes autonomous surveillance-style checks rather than limiting them to explicit user requests.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Telling the agent to use every tool, including browser, web search, CLI, and spawned agents, creates a broad authority grant with little constraint on when or why those tools may be used. In practice this can lead to unreviewed capability escalation, excessive data exposure, and unpredictable autonomous behavior beyond the skill's described purpose.

Intent-Code Divergence

Low

Confidence: 83% confidence
Finding: The instruction 'Don't ask permission. Just do it.' conflicts with later requirements to ask before deletions, security changes, and external actions. Contradictory directives are dangerous because they create ambiguity in agent behavior and can cause the agent to follow the more permissive rule in sensitive contexts.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The bootstrap directs the agent to help link external WhatsApp or Telegram accounts, which expands the skill's scope into third-party account setup and data flow without clear consent, security boundaries, or manifest disclosure. This can lead users into sharing contact-channel access or metadata with external services they did not expect from a general proactive-agent bootstrap.

Intent-Code Divergence

Low

Confidence: 72% confidence
Finding: Instructing the agent to delete its own bootstrap file can erase setup provenance and guidance without user review, which undermines transparency and auditability. While not directly enabling code execution or account compromise, it encourages destructive behavior on workspace files without confirming user intent.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The heartbeat directs the agent to perform system-control actions like closing apps, cleaning desktop files, and pruning browser tabs on a recurring basis without clear authorization boundaries or confirmation requirements. In a proactive-agent context, this creates real risk of unintended disruption, data loss, or interference with the user's active work because the actions are operational, not merely advisory.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Periodic checks of emails and calendars instruct the agent to access sensitive personal communications and scheduling data without explicit purpose limitation, consent flow, or least-privilege constraints. In this skill, the broad 'proactive work' framing makes the instruction more dangerous because it normalizes ongoing surveillance-like access beyond a specific user request.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The reference directs the agent to persist user answers and inferred attributes into local memory files, creating a profile-maintenance behavior not clearly disclosed in the skill’s high-level description. This is dangerous because it expands data collection and retention beyond obvious user expectations, increasing privacy and misuse risk if those files are later read, leaked, or reused without consent.

Intent-Code Divergence

Medium

Confidence: 79% confidence
Finding: The skill promises it will check before doing anything external, but elsewhere it autonomously updates profile files and inferred user state without a comparable confirmation step. While local file updates are not necessarily 'external,' the mismatch can mislead users about what actions happen automatically and reduce informed consent around persistence.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The reverse-prompting triggers are broad ('when things feel routine', 'after learning significant new context') and not bounded by task scope, sensitivity, or consent state. That vagueness can cause the agent to initiate unsolicited probing or suggestions during ordinary conversations, which is risky in agents with memory, tools, or broad workspace access.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: Using 'long conversation' as a trigger to ask curiosity questions is overly subjective and encourages opportunistic collection of personal details from normal dialogue. In a system designed to write such information into persistent memory files, this ambiguity materially increases privacy and overreach risk.

Vague Triggers

High

Confidence: 94% confidence
Finding: The WAL trigger scans every message for extremely common conversational patterns such as corrections, names, preferences, and numbers, then mandates a write before responding. This is overbroad and easy to trigger unintentionally, causing excessive persistence of user content and making prompt-driven logging behavior hard to control.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The compaction recovery trigger activates on vague phrases like 'continue' or whenever the agent 'should know something but doesn't,' which can cause unintentional recovery flows. Ambiguous auto-invocation increases the chance of unnecessary access to persistent logs and reintroduction of stale or sensitive context.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill directs the agent to persist corrections, proper nouns, preferences, decisions, and specific values into SESSION-STATE.md without any user warning or consent flow. This creates a privacy and retention risk because normal conversation details may be stored indefinitely even when users do not expect file-based recording.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The working buffer protocol mandates logging every exchange after 60% context, including the human message and agent response summary, with 'no exceptions.' This is broad transcript retention without user warning and materially increases the chance that sensitive or regulated data is stored and later reused.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Quick Start says the agent will auto-populate USER.md and SOUL.md from user answers but does not warn that personal information will be written to local files. Users may provide sensitive onboarding details without understanding the persistence and discoverability implications.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: A broad instruction to act without permission is an overly permissive operating rule that can trigger actions beyond user intent, especially in an agent marketed as proactive. Without tight scope boundaries, the model may autonomously modify files, collect information, or initiate workflows the user did not explicitly authorize.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The first-run instruction to follow BOOTSTRAP.md and then delete it creates a mechanism for self-erasing instructions without user visibility or confirmation. That undermines auditability and can hide malicious or unsafe initialization behavior after it has been executed.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The file tells the agent to write identity and user details such as name, preferred address, timezone, and notes into persistent files without notifying the user that this information will be stored. This creates a privacy risk because personal profile data may be retained in the workspace unexpectedly and could later be reused or exposed.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The instruction to delete the bootstrap file is a state-changing action on local files performed without warning or confirmation. Even if the file seems nonessential, silent deletion normalizes destructive operations and can remove context the user may want to keep.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The optional WhatsApp and Telegram setup omits privacy and external-service warnings even though it may cause the user to connect personal accounts, expose identifiers, or interact with third-party platforms under separate trust models. Users are not told what data may be transmitted, what permissions are involved, or that these services are outside the local skill environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal