Back to skill

Security audit

Milestone

Security checks across malware telemetry and agentic risk

Overview

Milestone is a local logging utility whose main risk is that typed inputs may be saved on the user's machine.

Install only if you want a local activity logger. Do not put passwords, API keys, private prompts, confidential filenames, or sensitive business data into Milestone commands, because entries may be written under ~/.local/share/milestone and later shown through history, search, stats, or exports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest presents this as a narrowly focused Milestone utility, but the script implements a much broader persistent activity logger with search, reporting, and export features. That mismatch is security-relevant because users and orchestrators may grant or invoke the skill under false assumptions, increasing the chance that sensitive prompts or operational data are collected and later exposed.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script creates a persistent data directory and writes activity history, while also exposing functionality to retrieve and export stored content. In an agent-skill context, command inputs often contain sensitive natural-language data, so unnecessary retention materially increases confidentiality risk beyond the stated purpose of the tool.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation description is overly broad ('use when you need milestone') and does not constrain when the skill should be selected. In agentic environments, vague routing criteria can cause the skill to be invoked for loosely related tasks, unnecessarily collecting and storing user-provided data through its logging features.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The command set contains highly generic actions such as run, check, convert, analyze, and generate without defining inputs, outputs, or safety boundaries. That ambiguity makes misuse more likely and obscures what data may be processed or stored for each action, which is especially risky in a skill that keeps local logs and exports.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
These command handlers write the full user-provided input directly to local log files without any prominent warning or consent flow. Because users may enter secrets, tokens, internal filenames, or proprietary content into agent tools, silent persistence can lead to later disclosure through local access, backups, exports, or unintended sharing.

Ssd 3

Medium
Confidence
98% confidence
Finding
The script systematically records user inputs across multiple commands and then provides search, recent-history, status, stats, and export functionality over that accumulated corpus. In this skill context, that turns ordinary user interactions into a searchable local transcript, which creates a natural-language data leakage surface not justified by the minimal manifest description.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.