NextSteps

Security checks across malware telemetry and agentic risk

Overview

This skill is a local next-step suggestion helper, but it persistently records inferred preferences, history, and backlog items with weak user control, including passive backlog tracking after disablement.

Review before installing. Use it only if you are comfortable with a .nextsteps folder in each project storing inferred preferences, suggestion history, ignored topics, and backlog items. Add .nextsteps/ to .gitignore, periodically inspect or delete those files, and note that the documented disable behavior stops visible suggestions but does not fully stop passive backlog tracking.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill advertises simple next-step suggestions but also implements persistent behavior tracking, history logging, backlog reading, preference learning, and file rewrites. That mismatch is a real security/privacy issue because users and host systems may grant the skill broader trust than they would if the stateful collection and self-learning behavior were disclosed up front.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The document claims HISTORY.md stores only minimal titles and selection status, but elsewhere instructs logging config changes, ignored actions, negative feedback, and category details. This inconsistency weakens data-minimization guarantees and can lead to retention of richer behavioral data than users or reviewers expect.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The document promises a confirm-before-write flow for customization changes, but later authorizes silent preference updates through implicit learning. That creates a consent boundary mismatch: users may reasonably believe preferences only change after explicit confirmation while the skill can still modify behavior and stored preferences autonomously.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The disable flow says NextSteps is turned off immediately, but the protocol still instructs the skill to maintain BACKLOG.md while disabled. In this skill context, that means data collection continues after a user has asked the feature to stop, which is a privacy and expectation-violation issue.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Passive collection of backlog items while the feature is disabled is not necessary to fulfill the stated purpose of appending next-step suggestions. Because the feature is off, continuing to retain conversation-derived task data expands data collection beyond user expectations and increases privacy risk without clear justification.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation phrases include very common language such as 'suggestions,' 'what now,' and 'what should I do,' making unintended activation likely during ordinary conversation. Because the skill reads and writes local state when activated, broad triggers can cause silent persistence, preference changes, and behavior tracking without clear user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs immediate updates to PREFERENCES.md and HISTORY.md in response to conversational patterns, but does not require a user-facing notice or consent before modifying local files. Silent writes create privacy and integrity risks, especially because the skill also performs cross-session learning and stores interaction-derived behavior.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill directs the agent to create and modify `.nextsteps/*` files and potentially influence `.gitignore` based on automatic project scanning, but it does not require explicit user confirmation before making those persistent repository changes. In an agent setting, silent writes to project files can surprise users, alter repo state, and persist inferred personal/workflow data without clear consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The protocol explicitly allows silent implicit preference updates with no user-facing warning. That enables hidden behavioral profiling and persistent changes to user experience based on inferred signals, which undermines informed consent and can create hard-to-audit personalization state.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This file explicitly instructs the system to infer user behavior from conversation and persist those in HISTORY.md without any visible notice, consent flow, retention boundary, or minimization rule. That creates a privacy and data-governance issue because conversation-derived preferences, ignored topics, and configuration changes are being durably stored in a way the user may not expect.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The protocol permits silent collection and retention of user conversation topics and backlog information without confirmation, including while disabled. Stored topic/backlog data can reveal sensitive interests, plans, or unfinished tasks, so undisclosed retention creates a meaningful privacy and surveillance risk.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The instructions direct the agent to retain user-topic data, category selections, and configuration changes in persistent files, which can accumulate a behavioral profile over time. Even if intended for personalization, this is dangerous because it stores conversation-derived metadata beyond the immediate interaction without clear user authorization or necessity.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The backlog maintenance section tells the agent to add mentioned topics to BACKLOG.md whenever they are discussed but not acted on, even absent an explicit request to remember them. In this skill context, that is particularly risky because ordinary conversation can silently become long-lived task memory, capturing sensitive plans, interests, or obligations the user did not intend to persist.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal