Back to skill

Security audit

Laundry

Security checks across malware telemetry and agentic risk

Overview

This is a local laundry-tracking tool that saves and exports user-entered laundry notes on the same machine, with no evidence of hidden network transfer or destructive behavior.

Install only if you are comfortable with laundry schedules, costs, reminders, and free-form notes being saved locally under `~/.local/share/laundry/`. Avoid putting highly sensitive notes into it on shared or backup-synced machines, and delete the data directory or generated exports when you no longer need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
69% confidence
Finding
The skill supports exporting locally stored laundry history to multiple formats but does not warn users that exports create additional copies of potentially sensitive household activity data. This can increase accidental exposure through less-protected files, backups, shared directories, or later attachment to other tools.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script persistently stores all user-provided entries under ~/.local/share/laundry and appends activity to history.log without any notice, retention limit, access control hardening, or consent flow. In a shared workstation, managed endpoint, or backup-synced home directory, sensitive household schedules, habits, and free-form notes may be retained and exposed longer than users expect.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The export function aggregates all recorded data into additional files on disk (JSON/CSV/TXT), increasing the number of sensitive copies without warning or destination choice. Those exports can persist indefinitely, be picked up by backups or other local users, and in the JSON path may also embed unescaped content that could corrupt downstream consumers or cause data-handling issues.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.