Task Progress Report

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a task progress reporter that writes local markdown status reports and does not show hidden, destructive, credential, or exfiltration behavior.

Before installing, decide whether you want long-running task details saved locally. Avoid putting secrets or sensitive operational details into progress fields, choose a clear reporting interval, and confirm any scheduled reporting is stopped or removed when the task ends.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation phrases are very broad, such as references to progress updates, long-running work, or monitoring task status, which could match many ordinary user requests unintentionally. That increases the chance the skill is auto-invoked in contexts where the user did not ask for periodic reporting or persistent logging, causing unnecessary data collection and file writes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly states that complete reports are saved to a persistent path, but it does not provide an explicit user warning at activation time about local storage, retention, or the possibility that sensitive task details may be written to disk. In long-running tasks like training, crawling, or batch processing, these reports can contain operational data, file paths, metrics, or other sensitive context that remains after the task ends.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal