Proactive Soul

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware-like, but it asks for broad persistent authority to change agent behavior, read private context, and send scheduled messages without a strong runtime consent gate.

Install only if you explicitly want an agent that changes AGENTS.md, keeps a persistent thread file, reads broad local/private context, and sends four proactive messages per day through your configured channel. Before enabling, review the AGENTS.md patch, limit QMD indexing to intended paths, keep sensitive vaults out unless you want them used, confirm the messaging channel is private, and know how to disable the cron jobs and delete CURIOSITY.md.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (12)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The proposal explicitly states that the skill automatically patches AGENTS.md and creates CURIOSITY.md on first load, but it does not present a clear user-facing warning, consent step, or rollback plan. Silent modification of workspace control files can alter agent behavior persistently and unexpectedly, which is a real security and safety concern even if the intent appears to be product functionality rather than abuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill proposes four unprompted daily dispatches delivered over the agent's configured messaging channel, but the proposal does not include an explicit privacy, notification, or consent warning. Unprompted outbound messaging can leak sensitive context, create unwanted notifications, or surprise users and third parties, especially when messages are synthesized from persistent memory and prior sessions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The protocol explicitly says outbound dispatches are sent to the user and saved into daily memory files, making them part of a searchable corpus, but it does not require a recurring user-facing notice about what data is retained, where it is indexed, or how long it persists. In context, the skill also instructs the agent to search across the full workspace, Obsidian vault, and session history, which increases the privacy sensitivity and makes silent persistence of autonomous messages materially risky.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The file mandates four unprompted daily messages and says not to announce that this is being done, creating a design for persistent unsolicited outreach rather than user-initiated interaction. Although the document references initial consent, the operational behavior is still coercive-by-default at send time and is made more sensitive by the instruction to mine broad personal and workspace data to craft the messages.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs the agent to modify workspace state on first load and to do so automatically without waiting for user approval. Even though the behavior is documented, autonomous file modification of AGENTS.md and creation of CURIOSITY.md changes persistent agent behavior and can expand future data access and outbound activity without an execution-time consent gate.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The skill says the intellectual character and pushback protocol apply in every interaction, which persistently alters agent behavior beyond the user's immediate request. This is risky because it can override expected interaction norms, cause unsolicited argumentative behavior, and make the agent act under hidden standing instructions the user did not affirm per session.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the agent to always load `knowledge-personal.md` and use it in proactive outbound messages. Because those messages are unsolicited and may be sent over external channels, this creates a real semantic data-leak risk: personal thoughts, quotes, preferences, or sensitive context can be echoed or inferred in ways the user did not intend to share.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The customization guidance encourages storing the user’s own words, profile details, and relational context to make unsolicited dispatches more targeted. In this skill’s context, that increases danger because the same system also sends unprompted external messages, so personalization data can be transformed into outbound content that leaks sensitive personal information or reveals private behavioral patterns.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill directs the agent to read workspace, memory, and vault content and to incorporate the user's own thinking into future proactive dispatches. That creates a data reuse pipeline for potentially sensitive user-authored content in unsolicited outbound messages, increasing the chance of privacy leakage, overcollection, and accidental disclosure through the configured messaging channel.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to record unresolved conversational content into a persistent file for later reuse across sessions and proactive messages. Persistent storage of user-derived thoughts and relationship context increases privacy risk, can capture sensitive material without clear consent boundaries, and makes later resurfacing more likely in contexts the user did not expect.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The added salience-tagging and high-salience summary instructions encourage the agent to identify and preserve notable user interactions for fast future retrieval. This increases the likelihood that emotionally important, sensitive, or personally revealing moments are retained and resurfaced later, potentially amplifying privacy harm beyond ordinary session memory.

Ssd 4

Medium

Confidence: 94% confidence
Finding: The first-run setup combines autonomous file modification, persistent memory structures, and scheduled outbound messaging into a normalized workflow that increases the agent's autonomy over time. In context, this is more dangerous because the skill is specifically designed to read accumulated user data and generate unsolicited communications, so each setup step compounds privacy and behavioral risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal