Eternal Task Board

Security checks across malware telemetry and agentic risk

Overview

This skill is a small local task-board CLI that stores tasks in a JSON file and does not show hidden network, credential, or destructive behavior.

Install only if you are comfortable with a local Python CLI creating and updating a JSON task database. Use the default .tasks.json or a dedicated task-file path, and do not pass --db pointing at valuable or unrelated files because the script rewrites that file when tasks change.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises CLI functionality that persists tasks to a database file and even exposes a custom `--db` path, which implies file-write capability. When a skill can write files but does not declare that permission, users and policy enforcement cannot accurately assess or constrain its behavior, creating a transparency and sandboxing gap. In this context the writes are likely intended for legitimate task storage, but undeclared write access could still be abused to overwrite arbitrary files if path handling is unsafe elsewhere in the implementation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal