Goal Manager - 目标管理

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local goal-management skill, but it persists personal planning data and can delete stored goals without strong safeguards.

Install only if you are comfortable with the skill storing goal and review content locally. Avoid entering highly sensitive personal details unless you know where the files are stored and how to remove them. Before deleting goals, review the stored files or back them up because the reported delete flow may remove matching entries without a confirmation step.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly stores user goals and review content in local files and requests file read/write permissions, but it does not warn users that potentially sensitive personal planning data will be persisted. This creates a privacy and data-governance risk because users may disclose career, health, finance, and relationship information without informed consent or retention controls.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The delete path immediately rewrites goals.json based on loose substring matching in the user query and returns success without any confirmation, preview, or undo mechanism. In an agent context, a single ambiguous or accidental instruction can silently destroy user data, which is a real integrity and availability issue even though it is not remote code execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal