Morning Briefing

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal morning briefing skill, but it can surface private calendar and reminder information if installed and scheduled.

Install only if you trust the external npm CLI. Grant Calendar and Reminders permissions only if you want that data included, and enable cron or HEARTBEAT scheduling only when you are comfortable with private briefing output being relayed automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill description is broad enough to trigger on several common user intents such as 'daily summary', 'schedule overview', or 'automated daily briefings', which can cause the agent to select this skill when the user may have intended a different action. Because the skill executes a local CLI that can access personal data sources like calendar, reminders, weather location, and news, unintended activation can expose sensitive information or perform privacy-impacting actions without sufficiently specific user intent.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal