Back to skill

Security audit

Overnight Worker

Security checks across malware telemetry and agentic risk

Overview

This skill is an unattended productivity assistant with broad but disclosed tools, local report output, web research, and optional external notifications.

Install only if you are comfortable letting an unattended agent read task-relevant files, search the web, and write reports under ~/overnight-output. Prefer local/macOS notifications for sensitive work; Telegram or webhook notifications may expose task names, summaries, and output paths to third-party services. Be aware that the docs include a /tmp write fallback on file-write failure despite otherwise promising writes stay inside the work directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Granting general Bash access to an autonomous agent materially increases risk because natural-language instructions can be transformed into filesystem or process actions beyond the intended workflow. Even though the document includes self-imposed limits, those are policy text, not a technical sandbox, so a prompt-influenced run could still invoke broader shell behavior.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill claims all writes are restricted to $WORK_DIR, but the error-handling matrix explicitly allows writing to /tmp as a fallback. This contradiction breaks the stated trust boundary and could expose task contents or outputs in a shared or less-controlled location outside the promised workspace.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README encourages webhook notifications and even shows the JSON payload sent externally, but it does not warn users that task metadata and local output-path details will be transmitted to a third-party endpoint. In an overnight autonomous workflow, users may submit sensitive research topics, code-review targets, or project names, so silent exfiltration of task context to external services creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Telegram setup documents how to send completion notifications through a third-party messaging platform but omits any warning that task-related metadata may leave the local environment. Because this skill is designed for unattended overnight execution, users may enable notifications for sensitive work without realizing that project names, completion summaries, or file locations could be exposed through Telegram.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill supports Telegram and webhook notifications but does not prominently warn that task details or output paths may be sent to third-party services. Users may unknowingly expose sensitive project names, research topics, or report metadata to external endpoints.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
WebSearch and WebFetch inherently transmit parts of the user's task or derived queries to external services, but the skill description does not clearly warn about this data flow. For an overnight autonomous agent, that omission is more dangerous because users may provide sensitive tasks expecting local-only processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.