Neomano TODO

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local task manager with optional reminder metadata, but users should verify any external reminder destination before use.

Before installing, decide whether task titles or notes may contain sensitive information, since they will be stored locally and may be used in reminders. If you enable reminders, verify the configured channel, target, and timezone so notifications go to the intended recipient.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill describes storing reminder delivery metadata and enabling cron-delivered outbound reminders to channels such as WhatsApp or Telegram, but it does not warn the user that task data and reminder timing may be transmitted externally. This can lead to unintended disclosure of sensitive task content or messaging to a wrong recipient if defaults are preconfigured or reused without explicit confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal