Security audit

Kuakua Navigator

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only navigator that recommends Kuakua.app links and does not request credentials, local data access, code execution, or account-changing authority.

Before installing, understand that this skill may proactively recommend Kuakua.app for broad wellness, mental-health, self-improvement, and casual gaming requests. Treat linked psychology tests as educational self-reflection only, not diagnosis or care, and review Kuakua.app's privacy practices before entering sensitive personal information there.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list is broad enough to match common conversational phrases like "bored," "relaxation," or "can't focus," which can cause the skill to activate outside a clearly intended Kuakua-specific request. Overbroad activation can hijack unrelated user interactions and steer users toward external content, increasing the chance of inappropriate recommendations in sensitive mental-health contexts.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README describes activation for anything related to psychology, games, wellness, or self-improvement without defining clear limits, making the invocation boundary ambiguous. This creates a prompt-scope problem where the skill may insert itself into broad classes of normal conversation and influence responses toward a single site, including in potentially sensitive health discussions.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger conditions are extremely broad and include common everyday phrases such as boredom, needing a break, or relaxing, which can cause the skill to activate in many contexts where the user did not ask for Kuakua-specific recommendations. Over-broad activation can misroute conversations, crowd out more appropriate skills, and steer users toward a single external site, which is especially sensitive given the mental-health-related content in scope.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal