Back to skill

Security audit

Notification

Security checks across malware telemetry and agentic risk

Overview

This skill is presented as a notification manager, but its script mainly stores arbitrary command text in local log files instead of sending or tracking notifications.

Review this as a local logging utility, not a functional notification system. Do not pass secrets, private messages, operational alerts, tokens, or sensitive identifiers to its commands unless you are comfortable with them being stored under ~/.local/share/notification and possibly exported later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose is narrowly framed around terminal notifications, but the command surface shown in the markdown exposes a much broader generic input-logging and data-management capability. That mismatch can mislead users and calling agents into supplying arbitrary content that is then persistently stored, searched, exported, and summarized, increasing the chance of unintended collection and retention of sensitive data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The advertised capability is notification management, but the exposed interface is a generic multi-purpose logger with unrelated commands. This mismatch is dangerous because users or higher-level agents may trust the skill to perform notification operations while it instead stores arbitrary data locally, creating deception risk and unintended data retention.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The core command handlers do not manage notifications at all; they append arbitrary user input into per-command log files under the user's home directory. In an agent setting, this can silently capture prompts, tokens, secrets, or operational data that users believed were being sent as notifications, leading to privacy and data-handling risks.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The presence of unrelated content-processing verbs like convert, analyze, generate, batch, compare, config, and report expands the skill surface beyond its stated purpose without justification. In a security review, unjustified capability breadth increases the chance of misuse, operator confusion, and hidden data collection through commands that appear more powerful than they are.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The help text claims that 'export' and 'status' perform export and health-check operations, but the first matching case labels instead log arbitrary input, making the real implementations unreachable. This deceptive interface can cause users and agents to pass sensitive data expecting operational actions while the script silently persists that data to disk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description is broad enough that an agent may invoke it in many loosely related situations without strong trigger constraints. In the context of a tool that logs activity and stores data locally, over-broad invocation raises the risk of collecting or persisting user content unnecessarily or outside user expectations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation advertises automatic history/activity logging and local storage but does not prominently warn that notification contents and related metadata may persist on disk. For a notification-oriented skill, that creates a realistic privacy risk because users may pass sensitive alerts, operational details, or personal data believing the interaction is transient.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
User-provided input is written persistently to local log files without clear warning, consent, minimization, or sensitivity checks. In the context of an agent skill, users may provide notification content, identifiers, or secrets, and silent persistence increases privacy, compliance, and data-exposure risk if the home directory is later accessed or backed up.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.