Back to skill

Security audit

Gdpr

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local GDPR activity logger, but users should be careful because anything they type into it is saved in plaintext local logs and exports.

Install only if you want a simple local audit-log helper. Avoid entering passwords, API keys, raw personal data, full identifiers, or anything you would not want stored in plaintext under ~/.local/share/gdpr or included in exports. Protect or delete that directory according to your retention policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a GDPR compliance helper, but the documented behavior is a generic local logging toolkit that accepts and persists arbitrary free-form input across many categories. In a privacy/compliance context, this mismatch is dangerous because users may trust it as a specialized audit tool and end up storing sensitive personal, security, or compliance data locally without safeguards, validation, minimization, or clear scope boundaries.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation materially diverges from the declared GDPR-focused purpose and instead exposes a generic data-logging utility with unrelated commands such as generate, rotate, hash, and verify. In an agent-skill setting, this mismatch is dangerous because users and orchestrators may grant the skill access or trust based on its privacy/compliance description while it silently collects and stores arbitrary inputs.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file header and help text describe a generic security toolkit rather than a GDPR auditing skill, reinforcing that the published identity of the skill is misleading. This increases the risk of misuse and improper trust decisions because operators may believe they are invoking a narrow compliance tool when they are actually running a broader data-capture utility.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The presence of credential-oriented operations like store, retrieve, check-strength, rotate, hash, and verify is unjustified for a GDPR documentation skill and creates a pathway for users to input secrets into a tool that simply logs them. Because the skill context suggests privacy/compliance work, users may be more likely to provide sensitive material, making these misleading commands especially risky.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly encourages logging and exporting GDPR-related events such as consent revocations, identity verification, storage events, and audit findings, which can easily include personal data, secrets, or regulated compliance information. Without prominent warnings, minimization guidance, encryption, access controls, or masking, the tool can become a plaintext repository of sensitive data that is easy to expose through local compromise, backup leakage, or accidental export.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
User-supplied input is written verbatim to persistent log files under the user's home directory and also copied into a history log, with no notice, consent, redaction, or access protection. This is dangerous because the commands invite arbitrary free-form input that may include personal data, credentials, compliance notes, or other sensitive content, creating a plaintext local data leak and retention problem.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.