Back to skill

Security audit

Logbook

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware-like, but it is marketed as a personal journal while its instructions and script behave like a local data-processing tool that records command activity.

Review before installing. Treat this as a local data-tool stub rather than a journal app, and avoid passing private journal text, secrets, or sensitive file paths as command arguments unless you are comfortable with them being written to the local LogBook history file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The manifest presents this as a personal journaling skill, but the body documents a general-purpose data processing toolkit that imports arbitrary files, transforms datasets, and logs all activity. This mismatch can cause inappropriate invocation in sensitive personal contexts and may lead users or orchestration systems to expose unrelated local files or private data under the false assumption that the skill is only for journaling.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata advertises a personal journaling/history assistant, while the documentation describes dataset import, schema validation, transformation, deduplication, and dashboard operations. In an agent ecosystem, this kind of semantic deception is dangerous because skill routing and user trust often depend on the manifest; a misleading manifest can trigger the skill in contexts involving sensitive notes or personal files that were never meant for a generic ETL tool.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The title and top-level framing imply a diary/logging skill, but the body immediately pivots to a terminal dataset-processing toolkit. This inconsistency increases the chance of accidental misuse and weakens informed consent, especially because users may provide personal content expecting note management rather than bulk file ingestion and persistent audit logging.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The implementation materially diverges from the declared skill purpose: instead of a journaling tool, it exposes a generic data-processing CLI. This kind of capability mismatch is dangerous because it defeats user and platform expectations, making it easier to smuggle broader functionality than the skill description authorizes and increasing the chance of misuse or unsafe handling of personal data.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The inline documentation explicitly describes the tool as a data processing and analysis toolkit, contradicting the stated journaling skill context. While not directly exploitable on its own, contradictory documentation is a security-relevant trust violation because it conceals real behavior from users and reviewers and supports social engineering around unexpected capabilities.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The broad journaling/note-taking description can cause the skill to be selected for ordinary personal writing requests even though its documented operations are oriented toward generic local data manipulation. That increases the chance that an agent invokes commands against files or stores data persistently in ways the user did not expect, expanding exposure of sensitive personal information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that all commands are logged to history and that data is stored locally, but it does not prominently warn that personal or sensitive content may be written to disk in persistent files. In the stated context of journaling and personal logs, silent persistence and activity logging materially increase privacy risk because users may assume ephemeral handling of thoughts, notes, or search queries.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script logs command arguments to a persistent history file without warning the user, and those arguments may contain sensitive journal content, search terms, file paths, or export destinations. In the context of a personal log/journaling skill, this is more dangerous because users are likely to input highly sensitive personal data and would not reasonably expect silent secondary retention.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.