Back to skill

Security audit

Scheduler

Security checks across malware telemetry and agentic risk

Overview

This is a local scheduler-style note utility that stores and exports user-entered items on the device, with no evidence of hidden network access, credential use, or destructive behavior.

Install only if you are comfortable with scheduler entries being stored under ~/.local/share/scheduler and exported there. Avoid putting secrets, credentials, or highly sensitive personal/work information into entries, and review exported files before sharing or syncing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The description is generic and repetitive ('for everyday use' / 'Use when you need scheduler'), which makes the skill easier to trigger in unrelated contexts. Ambiguous activation can cause the agent to select this skill when a user's request only loosely matches scheduling, increasing the chance of unintended command execution or inappropriate tool use.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
User-provided entries are persistently written to log files under ~/.local/share/scheduler and echoed back to stdout without any explicit disclosure, minimization, or sensitivity warning. In a scheduler context, users may enter private plans, reminders, health, work, or credential-like text, so silent retention can expose sensitive data to other local users, backups, terminals, or later exports.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The export command aggregates all logged scheduler activity into json/csv/txt files on disk without warning about the privacy implications or sanitizing exported content. Because scheduler data can contain sensitive personal or workplace information, exporting it into a single easy-to-copy file increases the chance of accidental disclosure, synchronization to cloud backups, or exposure to other local processes/users.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.