To-Do

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed future-reminder scheduler, but its shell-based implementation creates real command-injection and scheduler-control risks that users should review before installing.

Install only if you are comfortable with delayed autonomous agent execution on your machine. Do not put secrets, tokens, shell-like text, or highly sensitive operational instructions into reminders. Prefer an updated version that uses safer process APIs, validates all inputs and task IDs, scopes deletion to jobs it created, and stores logs or task bodies in a restricted user-owned location.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 81% confidence
Finding: The list and delete features operate on system scheduler state rather than a namespaced, skill-owned task registry. On Windows, delete accepts an arbitrary task name, which can remove unrelated scheduled tasks if an attacker can influence the id parameter; on Unix, list/delete expose and manipulate global at jobs without ownership checks.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This skill's core behavior is deferred autonomous execution, yet the description markets convenience without an explicit warning that scheduled tasks may later run workflows, perform checks, or send notifications automatically. Users may authorize or install it without appreciating that it causes future actions outside the current session, increasing consent and misuse risk.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill stores user-supplied task text verbatim in scheduler-visible command strings and later re-delivers it, which can leak sensitive reminders, tokens, or operational instructions through process listings, scheduler introspection, logs, or other local users. Because scheduled content is preserved in plain text, confidentiality depends on OS-level protections rather than application controls.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The list command extracts and prints the original instruction text from scheduled jobs, disclosing prior user content in clear text. In multi-user or shared environments this can reveal private reminders, secrets, or sensitive workflow prompts to anyone able to invoke the skill or access its output.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal