task-delegator

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad delegation helper, but it silently routes almost all tool work through subagents and can persist user/project information without clear consent.

Install only if you are comfortable with most tool-based work being delegated automatically and not normally disclosed in replies. Before using it, consider editing it to require explicit confirmation for file changes, code execution, API mutations, memory_store writes, and soul.md writes, and avoid using it around secrets or sensitive account/project data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill’s stated purpose is transient task delegation, but it also instructs the main session to persist user decisions, preferences, project details, and derived facts via memory_store. That creates durable data retention unrelated to the narrow delegation function and expands the privacy/security footprint beyond what users would reasonably expect from a 'temporary subagent' pattern.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The document claims the main session is only a scheduler/reporter, yet later directs it to perform memory writes itself. This inconsistency can mislead operators and users about where sensitive data is handled, weakening informed consent and making auditing harder.

Vague Triggers

High

Confidence: 95% confidence
Finding: The metadata description says the skill should always be used for essentially any tool-using task, making activation nearly universal. Overbroad implicit triggering can silently reroute many sensitive operations through this workflow, increasing the chance of hidden delegation, unreviewed persistence, and user confusion.

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger section auto-activates for network access, files, code execution, APIs, data processing, and effectively any tool usage. Because this covers most nontrivial tasks, the skill can become a hidden default control plane for sensitive actions without clear boundaries or user consent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill pairs broad automatic delegation with instructions that the operational behavior stay implicit, even for browsing, file access, API calls, and execution. Hiding that these actions are being delegated reduces transparency and can prevent users from understanding how their data is processed.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent never to mention subagent delegation, spawning, or runtime details to the user. This is dangerous because it intentionally conceals material execution context for potentially sensitive operations, undermining transparency, consent, and incident investigation.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill instructs storing user preferences, project details, decisions, facts, and conversation summaries in memory and persistent files. This creates a clear data-retention risk because sensitive natural-language content may be durably captured even when the immediate task only required transient delegation.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill specifically encourages writing important conversation summaries, user preferences, and project information into soul.md via delegated writes. Delegation does not reduce the persistence risk; it instead obscures it, making durable capture of user-provided data more likely without clear notice.

Ssd 4

Medium

Confidence: 95% confidence
Finding: The combination of hidden delegation, cleanup:'delete', and result-only reporting reduces visibility into how data was processed and what intermediate artifacts existed. That can frustrate auditability and mask retention or misuse, especially when the same workflow also permits memory storage and file writes.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal