Goal Setter

Security checks across malware telemetry and agentic risk

Overview

This is a normal local goal tracker, but its script handles goal text unsafely enough that crafted input could run unintended local code.

Install only if you trust the publisher and avoid using untrusted or specially crafted goal, milestone, or deadline text. The local data storage is expected, but the script should be fixed to pass user input as data rather than embedding it into Python source before broad use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The description uses broad invocation language such as 'Use when you need Goal Setter capabilities,' which lacks clear trigger boundaries and could cause the agent to invoke the skill more often than necessary. In an agent ecosystem, overly broad routing increases the chance of unintended activation and unnecessary access to user task context, even though this specific skill appears low risk and personal-productivity focused.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal