Room

Security checks across malware telemetry and agentic risk

Overview

The skill appears to keep household-related user input locally, which may be useful but needs review because the persistence is broad and under-disclosed.

Review this skill’s storage behavior before installing. Use it only if you are comfortable with local history being saved under ~/.local/share/room, and avoid entering sensitive household, schedule, financial, or security details unless the skill adds clear retention, deletion, and file-permission safeguards.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script persistently stores all user-provided inputs and history under ~/.local/share/room without any upfront privacy notice, retention policy, or permission hardening. In a home-management context, these entries can contain sensitive household details, schedules, inventory, costs, or maintenance information that could expose privacy and security-relevant data if the local account or backups are accessed.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal