Back to skill

Security audit

Proactive Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it should be reviewed carefully because it enables persistent memory, personal profiling, broad tool use, and proactive actions without enough boundaries.

Install only if you deliberately want a persistent proactive agent and can contain it. Use a dedicated workspace, keep secrets and sensitive personal data out of memory files, review changes to USER.md/SOUL.md/MEMORY.md/AGENTS.md, and require explicit approval before shell commands, browser automation, account access, crons, spawned agents, or any external action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill advertises operational behaviors that imply shell and network-capable actions, including running a security audit script and using CLI/browser/web search, yet it declares no permissions. This creates a trust and review gap: users may install it expecting a documentation-only skill while it encourages privileged execution paths that can touch the filesystem or external resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The description frames the skill as a productivity and memory architecture aid, but the embedded quick-start behavior includes running a security audit script that scans workspace files, memory files, scripts, and secrets-like content. That mismatch can cause users to grant trust under false assumptions, leading to unexpected inspection of sensitive local data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README shows very broad invocation phrases like '设置主动检查' and '查看主动任务' without defining clear activation conditions, scope boundaries, or user-consent expectations. In a proactive/autonomous agent skill, ambiguous triggers can cause the skill to activate in unintended contexts, increasing the chance of overreach, surprising behavior, or unauthorized autonomous actions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The WAL protocol tells the agent to scan every message for broad categories like proper nouns, preferences, decisions, and URLs, then automatically write to persistent state before responding. Such common triggers are likely to activate during ordinary conversation, causing unintended persistence of sensitive data and surprising file modifications.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The compaction recovery auto-trigger relies on ambiguous signals such as common phrases like "continue" or "where were we?" and generic signs of confusion. This can invoke recovery logic unexpectedly, causing unnecessary reads of memory files and broad context reconstruction when the user may not have intended it.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quick start directs the agent to detect onboarding files and auto-populate USER.md and SOUL.md from user answers, without a clear, front-loaded warning that the skill will persist user-provided information into workspace files. Automatic writes to profile and identity files can capture sensitive material with insufficient informed consent.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The file instructs the agent to read multiple local memory and identity files and to 'not ask permission' before acting, but it does not define firm scope boundaries, trust conditions, or activation limits. In a proactive agent skill, this broad autonomy can cause the agent to access sensitive context and take unintended actions based on ambiguous standing instructions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger 'Found something interesting/relevant' is highly subjective and can cause the agent to initiate contact without a clear user-approved threshold. In a proactive agent skill, this increases the chance of noisy, privacy-invasive, or socially disruptive outreach because the model is empowered to interpret relevance broadly.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The rule 'Been >8h since last contact' creates a cadence-based prompt to message the user even when there is no meaningful new information. This can lead to unnecessary activation and user disruption, especially because the surrounding skill is designed to act proactively and continuously improve.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to 'Update MEMORY.md with distilled learnings' directs the agent to write to persistent memory without any guardrails about what data is permitted, how to avoid storing sensitive content, or whether user approval is needed. In a long-running proactive agent, this can cause unintended retention of private, incorrect, or system-influencing data that persists across sessions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tracking section instructs logging heartbeat activity into a persistent JSON file without warning about retention, user visibility, or limits on what may be stored. Even though the example fields look operational, normalizing silent state writes in an autonomous agent increases the risk of covert persistence, behavioral drift, and accumulation of metadata about user activity patterns.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The guidance to update on 'significant events' and review 'periodically,' 'session starts,' and 'before major decisions' is broad enough to encourage frequent, context-insensitive memory reads and writes. In an agentic system, this can expand the situations where personal or sensitive context is surfaced or persisted, increasing the chance of unnecessary retention, over-collection, and use of stale or irrelevant memory in later actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly invites storing a person's goals, preferences, projects, lessons, and running context, but it does not warn about privacy, consent, sensitivity, or retention boundaries. That omission can normalize persistent collection of personal profile data without clear user awareness, making privacy leakage, unintended profiling, and cross-session misuse more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file explicitly instructs the agent to update persistent files such as AGENTS.md, TOOLS.md, and MEMORY.md as it learns, but it does not require explicit user consent, review, or change-scoping for those writes. In a proactive agent, this creates a durable prompt/policy injection surface where untrusted or mistaken session content can be persisted and later influence future behavior.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The file documents the exact location of a local secrets file and names a specific API key stored there, but provides no warning about secret handling, access controls, or exclusion from logs/version control. While this is not an exposed credential by itself, it increases the chance of accidental disclosure, targeted exfiltration by other components, or unsafe operational practices in an agent-oriented environment that may read local files.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This template encourages an agent to build and retain a user profile over time, including identity, location, schedule, preferences, projects, and other contextual notes, without any data minimization, consent, retention, or sensitivity guidance. In a proactive agent skill, that creates a meaningful privacy risk because the agent is explicitly directed to accumulate personal data longitudinally, which can lead to over-collection, unintended storage of sensitive information, and misuse in later prompts or integrations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding flow explicitly directs the agent to collect personal details such as name, timezone, location, goals, communication preferences, boundaries, and tools, then persist them into USER.md and SOUL.md without requiring informed consent, data minimization, retention limits, or a privacy warning. In an agent skill, this creates a real privacy and safety risk because sensitive profile data may be stored in workspace files that other tools, agents, collaborators, or future prompts can access, expanding the blast radius of disclosure or misuse.

Ssd 3

Medium
Confidence
94% confidence
Finding
The working buffer protocol instructs the agent to log every exchange after a context threshold, including both the user's message and the agent's response summary, and to leave that buffer in place until later. This creates broad retention of conversational content, increasing the risk of storing secrets, personal data, regulated content, or sensitive project details in a persistent file that may later be searched or exposed.

Ssd 3

Medium
Confidence
84% confidence
Finding
Auto-populating USER.md and SOUL.md from onboarding answers encourages collection and persistence of personal profile, preferences, goals, and identity-related context. Even if intended to personalize the agent, it normalizes storing potentially sensitive user information without clear minimization or retention controls.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
1. Try a different approach immediately
2. Then another. And another.
3. Try 5-10 methods before considering asking for help
4. Use every tool: CLI, browser, web search, spawning agents
5. Get creative — combine tools in new ways

### Before Saying "Can't"
Confidence
90% confidence
Finding
Use every tool

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
1. Try a different approach immediately
2. Then another. And another.
3. Try at least 5-10 methods before asking for help
4. Use every tool: CLI, browser, web search, spawning agents
5. Get creative — combine tools in new ways

**Pattern:**
Confidence
91% confidence
Finding
Use every tool

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
> "What would genuinely delight my human that they haven't asked for?"

### Proactive without asking:

- Read and organize memory files
- Check on projects
Confidence
90% confidence
Finding
without asking

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.