Proactive Agent Plus

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks the agent to persist broad conversation and user-profile data and run proactive checks without enough user control.

Install only if you intentionally want a persistent local-memory agent. Before using it, set explicit rules to avoid saving secrets, credentials, medical or financial details, private third-party information, and full message text by default; review and prune the memory files regularly; and do not enable email/calendar checks or autonomous background turns unless you have clearly scoped those permissions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The heartbeat checklist expands the skill from memory/self-improvement into monitoring external communications by directing the agent to check urgent emails and calendar items. That increases access to potentially sensitive data and broadens the operational scope without clear consent, least-privilege limits, or task-specific justification.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: Instructing the agent to scan every message for broad categories like names, preferences, decisions, and values creates an always-on trigger that activates on ordinary conversation. This makes persistent logging behavior fire too easily, increasing the chance of collecting sensitive information without contextual necessity or meaningful user awareness.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The compaction recovery trigger includes common phrases such as 'continue' or 'where were we?' that can appear in normal conversation and automatically initiate file reads and state recovery. Ambiguous triggers like this can cause unintended access to prior session data and increase unnecessary exposure of retained context.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The quick start and architecture normalize automatic writes to workspace memory files and profile documents without clearly informing users about persistence, retention, or privacy consequences. Users may disclose sensitive information expecting ephemeral chat behavior, while the skill silently converts it into durable records.

Ssd 3

High

Confidence: 97% confidence
Finding: The WAL protocol mandates writing corrections, names, preferences, decisions, draft changes, and specific values to persistent storage before responding. This creates broad, automatic retention of potentially sensitive personal and project information, substantially increasing privacy, leakage, and secondary-use risk if the workspace is shared, synced, or later exposed.

Ssd 3

High

Confidence: 98% confidence
Finding: The working buffer explicitly directs the agent to append every human message and response summary after a context threshold, creating a persistent transcript of raw exchanges. Persisting full user messages is especially risky because it captures secrets, personal information, and incidental context far beyond what is necessary for continuity.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The onboarding flow encourages auto-populating user profile files from answers, and the architecture places tool configurations and credentials near long-term memory materials. This normalizes collecting and co-locating sensitive identity and secret material, which increases the blast radius of any compromise or accidental sharing of the workspace.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal