Back to skill

Security audit

Mbti Guru

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed MBTI test tool that stores progress and results locally, with no artifact-backed evidence of hidden exfiltration or destructive behavior.

Install only if you are comfortable with MBTI answers and results being saved on the local server under chat/user identifiers for resume and history features. Operators should add a clear retention policy and should not rely on the claim that session filenames are anonymous unless they change the raw chat_id-based storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly plans persistent storage of per-user session state and test history keyed by chat_id, but it provides no mention of user notice, consent, retention limits, or access controls. Even though this is only implementation documentation, it still guides a design that can collect behavioral and personality-related data without transparency, increasing privacy and compliance risk if deployed as written.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The design states that generated PDF assessment reports are sent through Telegram, an external messaging platform, but does not mention warning users that their personality assessment results will be transmitted and potentially retained by a third party. This is risky because assessment outputs may be sensitive personal profile data, and transmitting them without clear disclosure can expose users to unintended sharing and privacy harms.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The upgrade plan explicitly introduces per-user session and history storage keyed by user/chat identifiers and includes behavioral test metadata, but it provides no mention of retention limits, consent, deletion, access controls, or privacy notice. Even though this is a planning document rather than executable code, it signals a design that may lead to unnecessary collection and persistence of user-linked psychological profiling data, increasing privacy and compliance risk if implemented as written.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.