Back to skill

Security audit

Daily Workflow / 项目记忆工作流

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local daily-workflow/project-memory skill whose file updates are purpose-aligned, with a usability risk from broad trigger phrases.

Before installing, expect this skill to maintain local Docs/ workflow files. Use it when you want project-memory updates, and review changes if your Docs/ folder contains private or sensitive project notes. Consider narrowing trigger phrases or asking the agent to confirm before writing files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes very common phrases such as "start work," "break time," and "end of day," which can plausibly appear in normal conversation without the user intending to invoke this workflow. That creates a real risk of unintended file reads/writes under Docs/, especially because the skill performs stateful updates when triggered.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.