Yatta! - Task & Capacity Management

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Yatta task-management skill, but it needs review because its full-account API access is paired with misleading safety claims and unsafe copy-paste examples.

Install only if you are comfortable giving this skill a full-access Yatta API key. Prefer the provided safe wrapper script or jq-based payload construction, verify YATTA_API_URL before use, and avoid copying examples that interpolate user-controlled values directly into JSON or URLs. Confirm batch updates, deletes, archives, calendar syncs, and follow-up changes before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The skill claims that all examples use safe jq-based construction, but later documentation includes a shell script that interpolates untrusted variables directly into a JSON body. This creates a mismatch between the documented security guarantees and actual examples, increasing the likelihood that users copy vulnerable patterns and expose their API key or perform unintended API actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal