Learning Checkin

Security checks across malware telemetry and agentic risk

Overview

This is a locally focused learning habit tracker with disclosed local storage and optional reminders, but users should avoid ambiguous check-in phrases and review any reminder scheduler setup carefully.

Install only if you are comfortable with a local data folder tracking your check-in history. Use explicit commands such as "record today's learning check-in" rather than generic phrases, and only enable reminders after confirming the exact scheduler, time, and disable path; avoid using the setup-cron helper unless it is changed to send reminders instead of recording check-ins automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 80% confidence
Finding: The skill explicitly states it reads and writes local files in a `data` subfolder, but it does not declare any permissions to make those capabilities visible to the host or reviewer. This is not inherently malicious, but undeclared file access reduces transparency and can bypass expected consent or review workflows, especially in agent ecosystems that rely on permission manifests.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 75% confidence
Finding: The documented behavior goes beyond a simple learning check-in helper by including scheduler-related state management and reminder orchestration details that affect how external automation may be configured. That mismatch can mislead users or reviewers about the operational footprint of the skill, increasing the chance that scheduled execution or persistence features are enabled without informed approval.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The code and comments state that only minimal environment information is collected, but the init response also returns local filesystem details such as DATA_DIR and SCRIPT_DIR. Exposing absolute paths can leak host structure and usernames, and it undermines the privacy claim by disclosing more host metadata than documented.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The generated cron commands invoke the checkin action directly instead of running reminder eligibility logic and then sending a reminder message. This means scheduled jobs can silently mark a user as completed for the day without user action, corrupting habit-tracking data and breaking integrity of the streak system.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The documented trigger phrases are very broad and map to common conversational language such as "I'm done" and "check-in complete." In an agent environment, this can cause accidental invocation during unrelated chats, leading to unintended state changes like recording false check-ins or exposing progress information without clear user intent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The additional examples like "I'm done with my learning" and "I finished studying" remain semantically broad and may still match ordinary conversation rather than a deliberate command. Because this skill records persistent local data and may drive reminders, accidental matches can corrupt streak history or trigger follow-on behavior based on unintended input.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Trigger phrases like "I'm done" and "check-in complete" are common in everyday conversation and lack clear scoping to this specific skill. In an agent environment, broad triggers can cause unintended activation and record check-ins without deliberate user intent, corrupting habit data or causing reminder logic to behave incorrectly.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The default behavior instructs users to say a highly ambiguous phrase to trigger a state-changing action, with no indication that the phrase must be directed specifically at this skill. This makes accidental activation more likely in natural conversation and can silently alter stored records and streak counts.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The wording encourages users to "just tell me" when they finished, but it does not clearly constrain what counts as a valid check-in versus ordinary conversation about learning. In a habit-tracking skill, that ambiguity can cause accidental activations or false check-ins, undermining data integrity and user trust even if it is not a severe security issue.

Vague Triggers

Low

Confidence: 81% confidence
Finding: The sample trigger phrases like "I finished my learning" and "check-in done" are still broad enough to overlap with normal dialogue, especially in a chat-based assistant discussing study progress. This can lead to unintended state changes, incorrect streak tracking, and reminder suppression without clear user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal