Nano Diary Hook

Security checks across malware telemetry and agentic risk

Overview

This skill transparently sends user-provided diary entries to a documented Nano diary webhook and its sensitive behavior is aligned with its stated purpose.

Install only if you trust the Nano diary endpoint and are comfortable sending diary text plus your webhook token to it. Keep in mind that submitting the same date again may update or merge with an existing diary entry, so keep separate backups for records you do not want changed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill sends diary content to a remote third-party endpoint using a personal webhook token, but the user-facing description does not clearly warn about this external transmission. Because diary entries are highly sensitive personal data, lack of explicit disclosure can cause users to unintentionally exfiltrate private information to an external service.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill notes that resubmitting for the same date can update an existing entry and may trigger AI merging, but it does not adequately warn users that existing diary content may be modified. This creates a risk of unintended alteration of personal records, especially where handwritten diary content is automatically merged in the background.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal