Back to skill

Security audit

anson

Security checks across malware telemetry and agentic risk

Overview

This personalization skill is not clearly malicious, but it stores durable user profiles, reads broad local context, generates more skills, and changes future agent behavior with too little explicit user control.

Install only if you are comfortable with a skill that builds persistent personal profile files, inspects broad workspace context, creates additional maker skills, and modifies future agent instructions. Use it in a reviewed workspace, inspect ANSON_META.md and generated files, and require explicit approval before reading memory/history files, editing AGENTS.md or CLAUDE.md, or taking any real project action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to inspect conversation history or memory files during reconnaissance, even though onboarding/personalization can be performed from current user-provided context. Persisted memories and prior conversations may contain sensitive data unrelated to the current task, creating unnecessary data access and profiling risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Directing the agent to inspect git history expands data access beyond what is necessary to personalize an assistant. Commit history can expose internal decisions, author identities, secrets accidentally committed, or project context unrelated to personalization, increasing privacy and scope-creep risk.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The bootstrap process goes beyond configuring identity/profile files and directs the agent to perform real project work autonomously after onboarding. This broadens authority from personalization into operational action, which can cause unauthorized changes, mistaken prioritization, or actions the user did not request.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation criteria are extremely broad: the skill claims it should run for nearly any request involving setup, personalization, identity, onboarding, or making an assistant 'more personal and self-aware.' That creates an over-triggering risk where a high-privilege workflow that writes files and gathers persistent profile data can activate in contexts the user may not have intended, increasing the chance of unnecessary data collection and workspace modification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to create, update, archive, delete, and maintain workspace files like ANSON_META.md and possibly remove prior state, while also saying these setup steps are internal and should not be narrated. That combination is dangerous because it normalizes silent, user-unannounced data-affecting actions, which can lead to unauthorized modification, loss of prior state, and reduced user oversight.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions tell the agent to update multiple files in the workspace as part of the process, but the user is not clearly warned about the extent of those writes up front. Silent or poorly disclosed file creation/modification undermines informed consent and can surprise users with persistent changes to their environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instruction to avoid narrating internal work reduces transparency around consequential actions such as generating skills, writing briefs, and creating persistent files. That makes it harder for users to understand scope and intervene before the agent performs unwanted changes.

Ssd 3

Medium
Confidence
97% confidence
Finding
The Bootstrap Tracker explicitly instructs persistent storage of inferred user traits, communication style, interview strategy, and other behavioral/profile signals across interactions. This is risky because it creates a durable profiling record that may exceed user expectations, contain sensitive inferences, and be reused later without meaningful consent or minimization.

Ssd 3

Medium
Confidence
96% confidence
Finding
The process instructs the agent to persist substantive user disclosures into prefill and tracker files for reuse in later phases, without clear consent, retention limits, or minimization boundaries. This creates durable user profiling and increases the chance that sensitive personal information is stored and reused beyond the user's expectations.

Ssd 3

Medium
Confidence
94% confidence
Finding
Recording observations about the user's communication style and preferences after each exchange establishes ongoing behavioral profiling as a default behavior. Without clear boundaries, this can accumulate sensitive inferences over time and materially affect future interactions in ways the user did not knowingly authorize.

Ssd 3

Medium
Confidence
95% confidence
Finding
The later phases repeat and reinforce the practice of appending substantive user information to persistent files and using accumulated profile data to shape future behavior. Repetition across identity, user, and soul phases compounds privacy risk by building a broad long-lived dossier without strong minimization or consent controls.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.