Magic Need

Security checks across malware telemetry and agentic risk

Overview

Magic Need is a local logging skill that records agent-requested tools or data sources, with its local persistence disclosed and no evidence of hidden network, credential, or destructive behavior.

Install this only if you want agents to keep a durable local backlog of missing tools, APIs, or data sources. Do not include secrets, tokens, credentials, or sensitive incident details in need descriptions, and review generated reports before sending them to Slack, Discord, or other shared channels.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The skill explicitly instructs agents to invoke a CLI that persists free-form need descriptions to `~/.magic-need/needs.json`, but the user-facing description does not warn that this creates a durable local record in the home directory. Because agents may include sensitive operational details in these descriptions—such as missing APIs, logs, internal services, or investigation targets—this can unintentionally retain potentially sensitive metadata beyond the task lifecycle.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal