Back to skill

Security audit

Roadmap

Security checks across malware telemetry and agentic risk

Overview

This is a local roadmap command-line helper that stores user-entered planning data on disk, with no evidence of credential access, network transfer, privilege escalation, or destructive behavior.

Reasonable to install if you want a local roadmap CLI. Do not enter passwords, API keys, or sensitive business details unless you are comfortable with them being stored locally in plaintext and included in exports; also note that the documentation claims ROADMAP_DIR can change the data directory, but the reviewed script hardcodes ~/.local/share/roadmap.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description says the skill should be used whenever a user 'need[s] roadmap,' which is overly broad and can cause the agent to invoke this skill in situations beyond its intended scope. Broad invocation cues increase the chance of unnecessary tool use, context leakage into the tool, or unsafe automation in unrelated workflows, especially because the skill is positioned for general command-line and pipeline use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script stores raw user-provided input and activity history persistently under ~/.local/share/roadmap without any notice, consent flow, or data-minimization controls. In a command-line productivity tool, users may reasonably enter sensitive planning notes, reminders, or personal work data, so silent retention increases privacy and local data exposure risk to other local users, backups, or later exports.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The export function consolidates all accumulated logs into new export files on disk, potentially duplicating sensitive historical data into easier-to-share formats such as CSV, TXT, and malformed-but-readable JSON, again without explicit warning or confirmation. This broadens the exposure surface because older entries that a user may have forgotten were retained become repackaged into a single artifact that can be copied, synced, or disclosed unintentionally.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.