Security audit

Brain Proactive

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Obsidian vault review skill that reads sensitive local notes and can stage approved enrichment drafts, but I did not find hidden, destructive, or credential-stealing behavior.

Install only if you want an agent to inspect the listed Obsidian vault folders, including health and therapy-related metadata. Avoid using enrichment on private notes unless you are comfortable with related search terms leaving the vault, ask to review staged drafts before applying them, and inspect the separate vault-push skill before approving any writes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill is presented as a vault review and maintenance tool, but it also includes a note-enrichment workflow that pulls in external web content and stages modified files. That materially expands the trust boundary from local read-only review into external-data ingestion and content generation, which can introduce inaccurate, malicious, or privacy-sensitive data into the user's vault.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Web search is not necessary for the stated purpose of proactive vault review, yet the skill instructs the agent to fetch outside information to fill note gaps. This creates an unjustified capability expansion that can leak note context to external services and contaminate local notes with unverified data.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The ICM contract says the skill has no direct write outputs, but the NOTE ENRICHMENT section directs the agent to stage enriched files in the workspace. This mismatch undermines policy clarity and can cause downstream systems or reviewers to treat a write-capable skill as read-only, increasing the risk of unauthorized content modification.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The top-level trigger list contains broad phrases such as 'check my notes' and 'what needs attention,' which are likely to appear in normal conversations. Overbroad triggers can cause unintended invocation of a powerful skill that scans large portions of the vault, exposing sensitive metadata or causing actions the user did not specifically request.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The FULL VAULT REVIEW section uses ambiguous trigger phrases like 'what needs attention,' which can collide with general assistant usage. Because this path performs broad review across tasks, work notes, staging folders, and therapy metadata, accidental activation increases privacy and overreach risk.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The NOTE ENRICHMENT triggers like 'enrich [note]' and 'complete [note]' are broad enough to match ordinary drafting assistance requests. In this skill, those phrases can invoke web search and file staging, so ambiguous activation may lead to external data retrieval and content modification without the user's informed intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.