Batch Cognition

Security checks across malware telemetry and agentic risk

Overview

This skill is useful for batch prompt processing, but it stores full user inputs, reuses them across future batches, and can inspect Drive folders with limited upfront consent controls.

Use this only for batches you are comfortable storing locally and reusing later. Avoid secrets, regulated data, private Drive folders, credentials, and mixed confidential folders unless you add your own confirmation, redaction, retention, and deletion rules before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation criteria are broad enough to trigger on generic phrases like 'multiple prompts incoming' or bulk pasted content, which increases the chance the skill engages in contexts where the user did not intend persistent batch processing. In this skill, broad activation is more dangerous because activation leads immediately into mandatory saving, classification, and execution behavior over large user-provided corpora.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill mandates saving the entire batch, reading prior context, and writing full prompts to persistent files, but does not present an explicit warning or consent gate about storage of user content and derived notes. This is dangerous because users may paste sensitive prompts, logs, or documents believing they are being processed transiently, while the skill instead creates durable cross-batch records.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The checkpoint logic instructs the agent to continue automatically after 30 seconds of no user response, but this behavior is not clearly disclosed up front. In a bulk-processing skill that can execute prompts, research, and persist outputs, silent continuation increases the risk of processing sensitive or costly material beyond what the user intended.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation guidance is broad enough that an agent could enter Drive-processing mode based on vague references to Google Drive content rather than clear, explicit user consent for bulk file access. In a skill that instructs navigation, listing, and scanning of files, ambiguous triggers increase the chance of unintended access to sensitive documents and over-collection beyond the user's actual request.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to open Google Drive, enumerate all files in a folder, and inspect content snippets from each file, but it does not require a privacy warning, minimization step, or explicit acknowledgement that sensitive data may be exposed. Because Drive folders often contain mixed personal, confidential, or regulated content, bulk scanning without a warning or scoped consent can cause significant unintended disclosure and excessive data access.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The workflow explicitly requires persisting full user prompts to disk and reading prior batch memory for reuse, creating a durable natural-language store of potentially sensitive user data. This is especially risky because the skill is designed for bulk input, file dumps, and cross-batch context, which can accumulate secrets, proprietary information, and personal data that may later be surfaced unintentionally.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill directs the agent to append green/yellow/red items and cross-batch connections into long-lived value, parked, discarded, and graph files, which promotes propagation of user-derived content across runs. This makes accidental disclosure more likely because details from one user's batch can influence or appear in later sessions through persistent summaries and connection graphs.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The document explicitly instructs the system to keep all dropped content recoverable on disk by linking tombstones back to the original batch document. In a batch-processing skill that may handle arbitrary user prompts, this creates persistent storage of complete user/context data beyond the active working set, increasing privacy, retention, and unintended disclosure risk if sensitive prompts are later recovered or accessed across sessions.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The cross-batch persistence design carries surviving items from one batch into future batches and frames total knowledge as permanently recoverable, which enables user data and prior context to influence later unrelated sessions. In this skill context, that is more dangerous because it processes bulk prompt dumps and file-based inputs, so retained material may include sensitive, proprietary, or regulated data that can leak across users, tasks, or trust boundaries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal