Ghostty — Your Always-On Digital Self

Security checks across malware telemetry and agentic risk

Overview

Ghostty is a coherent communication-proxy skill, but it asks for persistent access to private channels and can send messages or accept invites as the user with weak safeguards.

Install only if you are comfortable granting a persistent agent access to private communications and the ability to act as you. Before use, disable direct sending and calendar auto-accept by default, require approval for every outbound message and calendar change, limit monitored accounts and senders, avoid broad IMAP access where possible, protect secrets, review and delete stored profiles/logs regularly, and do not use the nondisclosure behavior in contexts where recipients should know an AI drafted or sent the response.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The instruction to avoid revealing the system is an AI enables covert impersonation during real-world communications. In a skill explicitly designed to act as the user across email and messaging platforms, this increases deception risk, undermines informed consent of recipients, and can facilitate social engineering or unauthorized commitments.

Vague Triggers

High

Confidence: 92% confidence
Finding: The trigger phrases such as 'be my digital self', 'ghost me', 'respond as me', and 'my AI twin' are broad and likely to appear in ordinary conversation. This increases the chance of accidental activation of a high-risk skill that profiles communications and may act on the user's behalf, which is especially dangerous given the impersonation and autonomous-response context.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The description prominently advertises monitoring private channels and learning the user's writing style from sent messages but does not provide adequate privacy, consent, retention, or sensitivity warnings. Users may enable the skill without understanding that it could process highly sensitive communications across email, messaging apps, and calendars to build a persistent impersonation profile.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The safety section discloses that Ghostty may send messages without approval for `PRIORITY_SENDERS`, but this high-risk autonomous behavior is not surfaced as a clear warning earlier in the skill. Automatic sending on the user's behalf creates impersonation, reputational, privacy, and potentially legal risks if the classification of priority senders or message context is wrong.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Allowing automatic direct-send of email replies for priority senders bypasses human review for exactly the contacts where messages are most sensitive and consequential. Because the skill also imitates the user's voice and reads prior thread context, an incorrect or hallucinated reply could create legal, financial, reputational, or relationship harm quickly.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Automatically accepting calendar invites based on sender priority and apparent free time lets the agent make scheduling commitments without user consent. This can leak availability patterns, cause conflicts, and let trusted or compromised accounts manipulate the user's calendar and attendance expectations.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: The explicit instruction to conceal AI involvement is a direct impersonation risk, especially on personal messaging channels where recipients reasonably believe they are speaking to the user. This can be exploited to elicit trust, obtain sensitive information, or create binding social or business misunderstandings.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The routing logic depends on vague categories such as PRIORITY_SENDERS, IGNORE_SENDERS, and URGENT_KEYWORDS without defining validation rules, precedence, or safeguards. In a skill that monitors and acts across email, messaging, and calendar channels, this ambiguity can cause misclassification that leads to unintended auto-sends, silent skips of important messages, or attacker-triggered escalation via crafted keywords.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The document explicitly allows autonomous actions such as direct sending, skipping messages, declining invites, and calendar updates without a prominent requirement for informed user consent at the point of action. Given the skill's purpose as an always-on digital proxy acting in the user's voice, these actions can alter external communications and calendar state in ways that create reputational, operational, and privacy harm if triggered incorrectly or manipulated by an attacker.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The draft engine explicitly instructs the system to load per-person profiles, configuration about relationships, and recent conversation history to generate replies, but it provides no user-facing consent, minimization, or handling constraints for that personal data. In a skill whose purpose is to act as a persistent digital proxy across multiple communication channels, this increases the risk of unnecessary collection, cross-context profiling, and privacy leakage if sensitive history is accessed or used inappropriately.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This documentation instructs users to analyze folders of sent emails and message exports to automatically build a voice profile, but it provides no warning that these inputs likely contain highly sensitive personal, professional, and third-party communications. In the context of a skill whose purpose is to impersonate the user's writing style across multiple channels, silent ingestion of this data increases privacy, consent, and data-handling risk and could normalize over-collection of communications content.

Ssd 3

Medium

Confidence: 92% confidence
Finding: Sending previews of email-derived drafts to WhatsApp reuses content across services without clear minimization, recipient constraints, or consent boundaries. This creates a data leakage path where sensitive email content may be copied into another platform with different security properties, retention, participants, or device exposure.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The multi-channel coordination design encourages combining context from email, Slack, and calendar into unified responses, which can disclose information from one service into another without authorization. In a persistent monitoring skill spanning personal and work channels, this materially increases the chance of context collapse, privacy violations, and accidental disclosure of confidential data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal