Okr Planner

Security checks across malware telemetry and agentic risk

Overview

This OKR planning skill is generally coherent and local-only, but one bundled helper script saves entered task data and command history on disk.

Before installing, be aware that the bundled task-manager helper can keep OKRs, task names, reminders, and command history in a local okr-planner data directory. Avoid entering sensitive company goals on shared or backed-up machines unless that storage is acceptable, or set OKR_PLANNER_DIR to a controlled location and remove the directory when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script persistently stores user-supplied task content in predictable local files under the user's home/data directory and additionally records command history in history.log without any explicit disclosure or privacy controls. In a productivity tool, tasks may contain sensitive personal or business information, so silent retention increases the risk of unintended local disclosure through backups, shared accounts, lax file permissions, or later exfiltration by other software.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal