Back to skill

Security audit

proactive-agent-3.1.0

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives a proactive agent broad memory, monitoring, tool-use, and background-execution authority that needs careful review before installation.

Install only if you want an agent with persistent personal memory and proactive autonomy. Before using it, restrict or remove unattended crons, email/calendar polling, browser/app cleanup, broad transcript logging, and spawned-agent behavior unless you explicitly want those features and can review what is stored or changed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill explicitly encourages using browser, web search, CLI, and spawned agents as part of its default operating model, which expands behavior beyond a memory/proactivity skill into networked and orchestration actions. Even though some guardrails are present, this materially increases attack surface and can lead to unsafe external interactions or execution of unreviewed workflows.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to schedule weekly cron-job reminders, which is autonomous ongoing behavior not clearly disclosed in the manifest. Hidden scheduled behavior can surprise users, create persistence they did not consent to, and trigger actions outside the immediate session context.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to use broad external capabilities like CLI, browser, web search, and spawning agents under a 'try 5-10 methods' mindset. That encourages over-broad action selection and can bypass least-privilege expectations, increasing the chance of unsafe external access, excessive data exposure, or unintended side effects during autonomous operation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The autonomous cron guidance explicitly recommends isolated background agent turns that execute work without requiring main-session attention. In a skill centered on proactivity, that materially increases risk because recurring unattended execution can amplify mistakes, perform stale or inappropriate actions, and operate without timely human review.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The heartbeat behavior instructs the agent to proactively inspect emails and calendars and decide when to reach out, which expands the skill into ongoing surveillance of sensitive personal data. Even without explicit exfiltration, this creates unnecessary access to private information and increases the chance of over-collection, mistaken notifications, or acting on data the user did not intend to expose to this skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Telling the agent to 'use every tool' including browser, web search, and spawning agents encourages unconstrained capability escalation during failure handling. In practice, this weakens least-privilege boundaries and can lead the agent to access unnecessary systems or invoke powerful sub-agents without clear authorization.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
'Don't ask permission. Just do it.' creates a blanket autonomy directive that conflicts with later safety checks for deletion, security changes, and external actions. Ambiguous precedence in safety rules is dangerous because an agent may follow the more aggressive instruction and bypass consent boundaries in edge cases.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This heartbeat file directs the agent to perform broad workstation-management tasks such as closing applications, cleaning browser tabs, and moving desktop files, which goes beyond a narrowly scoped proactive/self-improvement role. In an autonomous heartbeat loop, that expansion increases the chance of unintended actions, data loss, or privacy-invasive behavior without an explicit user request at the time of execution.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The instruction to periodically check emails and calendars prompts the agent to access highly sensitive personal data unrelated to a generic proactive-improvement skill. When coupled with autonomous heartbeats, this can normalize continuous surveillance of private communications and schedules without strong contextual justification, minimization, or consent boundaries.

Ssd 3

Medium
Confidence
95% confidence
Finding
The onboarding flow explicitly encourages the agent to gather and persist broad user context across sessions, including personal preferences, goals, and identity-related information. Even if intended to improve personalization, normalizing long-term storage of user-provided context without data minimization, sensitivity boundaries, retention limits, or consent controls increases privacy risk and the blast radius of compromise.

Ssd 3

Medium
Confidence
97% confidence
Finding
The memory architecture and flush protocol instruct the agent to capture 'everything important,' including decisions, reasoning, open threads, and conversation continuity data, which can easily include secrets, credentials, health, financial, or other sensitive user information. This creates a systematic over-collection pattern and persistent storage of conversational content beyond what is necessary for task execution.

Ssd 3

Medium
Confidence
96% confidence
Finding
The curiosity loop encourages eliciting personal history, relationships, values, aspirations, and similar sensitive context during ordinary conversation, then storing that information in persistent files. That combination of proactive elicitation plus durable storage can lead to profiling and accumulation of highly sensitive personal data without clear necessity or informed consent.

Ssd 3

Medium
Confidence
96% confidence
Finding
The quick-start flow directs the agent to elicit user information and auto-populate persistent profile files, while the architecture defines durable memory files including tools and credentials. This creates a broad retention surface for sensitive personal and operational data without clear minimization, consent, or access controls.

Ssd 3

Medium
Confidence
95% confidence
Finding
The WAL rule tells the agent to immediately persist corrections, proper nouns, preferences, decisions, draft changes, and specific values whenever they appear. This is overbroad natural-language retention that can capture sensitive identifiers, private preferences, URLs, and other confidential information by default.

Ssd 3

Medium
Confidence
98% confidence
Finding
The working buffer mandates appending every human message and response summary after a context threshold, effectively creating a persistent conversation transcript. That design increases the likelihood of retaining sensitive personal data, credentials, business information, or regulated content far beyond what is necessary for task continuity.

Ssd 3

Medium
Confidence
94% confidence
Finding
The recovery flow instructs the agent to reread raw prior exchanges and re-extract important context into active state, reinforcing repeated reuse of retained user content. This compounds privacy risk because sensitive material can be resurfaced and propagated across sessions without fresh consent or necessity review.

Ssd 3

Medium
Confidence
95% confidence
Finding
The WAL and working-buffer protocols direct the agent to persist corrections, proper nouns, preferences, decisions, URLs, and eventually every exchange after a context threshold. This creates a substantial natural-language data retention surface where sensitive user content may be stored broadly and indefinitely, increasing exposure in case of compromise, accidental sharing, or misuse by later agent actions.

Ssd 3

Medium
Confidence
91% confidence
Finding
Automatically populating persistent USER.md and SOUL.md from onboarding answers encourages collection and long-term storage of personal context without clear minimization boundaries. In this skill's context, where memory and proactivity are core features, that makes the issue more dangerous because the stored profile can influence future autonomous behavior and broaden leakage impact.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
1. Try a different approach immediately
2. Then another. And another.
3. Try 5-10 methods before considering asking for help
4. Use every tool: CLI, browser, web search, spawning agents
5. Get creative — combine tools in new ways

### Before Saying "Can't"
Confidence
91% confidence
Finding
Use every tool

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
1. Try a different approach immediately
2. Then another. And another.
3. Try 5-10 methods before considering asking for help
4. Use every tool: CLI, browser, web search, spawning agents
5. Get creative — combine tools in new ways

### Before Saying "Can't"
Confidence
94% confidence
Finding
Use every tool

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
assets/HEARTBEAT.md:11

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/security-patterns.md:9

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL-v2.3-backup.md:179