Long Task Handler

Security checks across malware telemetry and agentic risk

Overview

The skill matches its long-task purpose, but it can automatically send raw command output and logs to messaging channels.

Review this skill before installing in sensitive workspaces. Use it only where background jobs and messaging recipients are trusted, and configure notifications to send status-only or sanitized summaries before using it with deployments, database migrations, credentials, customer data, or private logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (7)

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The activation conditions use broad natural-language phrases like '别等我' and '跑完告诉我' without strong negative boundaries or confirmation gates, so the skill may trigger in situations the user did not intend. This can cause the agent to shift tasks into background execution and notification behavior unexpectedly, changing execution semantics and increasing the chance of accidental disclosure or unattended execution.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill states it applies to all channels and shows progress/completion notifications being sent to Feishu, but it does not warn users that command output may be forwarded to external messaging systems. Since build logs, migration output, and training logs often contain secrets, filenames, hostnames, tokens, or internal errors, this creates a clear confidentiality risk.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The workflow automatically backgrounds long-running commands but does not prominently warn that execution may continue asynchronously after the initial response. That can lead to users unintentionally starting impactful operations such as deployments, migrations, or training jobs that persist outside the interactive session.

Ssd 3

High

Confidence: 98% confidence
Finding: The progress-notification design sends slices of raw command output to an external channel. Raw stdout/stderr commonly contains secrets, customer data, environment details, stack traces, or operational metadata, so forwarding it off-platform creates a direct semantic data-exfiltration path.

Ssd 3

High

Confidence: 98% confidence
Finding: The completion handler explicitly fetches logs and embeds recent output in the notification message. This guarantees that potentially sensitive execution content is copied into outbound messages at task end, which is especially dangerous for deployments, migrations, and data-processing jobs that may print credentials, record samples, or internal infrastructure details.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The failure path sends raw error-log excerpts back to the user, and error output often contains stack traces, file paths, query fragments, credentials, and sensitive runtime context. Failures are often more sensitive than success logs because they expose debugging information and internals that should not be broadly disclosed.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The task-list output exposes full command lines and session identifiers in plain text. Command lines frequently include file paths, server names, database targets, flags, and even embedded secrets, while stable session IDs can reveal operational state and aid unauthorized task inspection or interference if reused elsewhere.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal