Back to skill

Security audit

Desktop Notify

Security checks across malware telemetry and agentic risk

Overview

The notification feature itself is straightforward, but the setup scripts persistently change global WorkBuddy memory so future conversations run a notification command after every response.

Install only if you deliberately want WorkBuddy to change global memory and run a local notification command after every future response. For one-off task alerts, use the notify script directly and avoid running setup; if setup was already run, remove the block marked <!-- desktop-notify-auto --> from ~/.workbuddy/MEMORY.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a simple per-task desktop notification helper, but its documented behavior includes persistent modification of the user's global WorkBuddy memory so future conversations are automatically affected. That is a materially different and more security-sensitive capability than transient notification, because it changes long-term agent behavior across projects and can normalize broad persistence under an innocuous description.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The setup flow instructs users to add a persistent global auto-notification rule to the user's memory, which changes behavior for all future projects and conversations. Even if user-initiated, this is a cross-session persistence mechanism and should be treated as configuration modification with ongoing impact, not as a harmless one-off helper action.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The documentation claims the skill does not automatically change configuration, but it also recommends scripts whose purpose is to write persistent global rules into the user's memory file. While the distinction is that installation does not auto-run setup, the wording can still mislead users about the real security significance of the setup action and reduce informed consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script persists a rule into the user's global AI memory requiring a notification command to run after every response in all future conversations. That behavior exceeds a task-scoped desktop notification helper and creates a durable cross-session policy change that can coerce command execution outside the user's immediate intent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script edits ~/.workbuddy/MEMORY.md, which alters future model behavior globally rather than performing a local notification setup. Modifying conversation memory/policy is a powerful capability unrelated to the stated purpose and can be abused to inject persistent instructions or force future command execution.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comments frame the behavior as adding an auto-notify rule, but the actual injected content mandates execution of a specific PowerShell command globally in all conversations. This mismatch is dangerous because it obscures the true security effect of the script and may cause users to authorize persistent agent command execution without informed consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script installs a persistent rule that forces a notification after every future response, which exceeds the advertised scope of notifying only when a long-running task completes. This creates hidden cross-session behavior and changes agent behavior globally, making the skill effectively a persistence mechanism rather than a simple notification helper.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script modifies the user's global agent memory so future conversations are silently influenced, which is not necessary for a desktop notification utility. In the skill context, this is especially dangerous because it grants the package lasting behavioral control over unrelated projects and conversations, creating unauthorized persistence and possible policy bypass opportunities.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README encourages running setup scripts that modify a global memory/config file affecting future conversations, but the risk is framed as convenience rather than as a persistent system-behavior change. Understating that impact can lead users to authorize broad, durable modifications without appreciating the scope or security consequences.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script appends a global behavioral rule to the user's memory file without an explicit warning, confirmation step, or clear disclosure that future AI sessions will be affected. Silent persistence of agent behavior changes undermines user consent and can create long-lived, hard-to-diagnose side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes to ~/.workbuddy/MEMORY.md without any confirmation, dry-run output, or warning that it is changing global behavior for all future conversations. Silent modification of a global control file reduces user agency and increases the risk that persistent behavior is installed without understanding or meaningful consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.