Smart Task Scheduler

Security checks across malware telemetry and agentic risk

Overview

This is a coherent scheduling and reminder skill, with disclosed local schedule storage and Feishu credential use that fit its purpose.

Before installing, treat uploaded schedules and tasks as sensitive. Confirm where the workspace JSON files will live, grant the Feishu app only the permissions needed for reminders, and enable the suggested cron jobs only if you want periodic automated reminder checks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly says uploaded Excel/CSV schedule files will be parsed and stored, but it does not clearly disclose persistence, retention, or where the data is saved. Because schedules can contain sensitive work patterns and personal routines, silent storage increases privacy and surveillance risk if users assume uploads are transient.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The metadata requires Feishu credentials and the skill advertises proactive reminders, which implies external service integration and outbound messaging. Failing to clearly warn users that their task/schedule data may be sent through Feishu can lead to unintended disclosure of sensitive scheduling information to a third-party platform.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal