Atmamun

Security checks across malware telemetry and agentic risk

Overview

This appears to be a content-only philosophical/spiritual guidance skill with overly broad activation behavior, but no evidence of malware, data access, persistence, or destructive actions.

Install only if you are comfortable with a philosophical/spiritual guidance skill that may activate on broad everyday terms. If it appears in unrelated conversations, disable it or narrow its activation phrases.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger list is extremely broad and includes generic terms such as "truth," "freedom," "consciousness," "suffering," "help," and even activation when a user says they just installed the skill or do not know how to start. This can cause the skill to activate during ordinary conversation and steer users into unsolicited spiritual guidance, increasing the chance of unwanted instruction injection into unrelated contexts.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs the AI to proactively present onboarding on first load without waiting for user consent, but provides no warning or opt-in mechanism. In combination with the broad triggers, this can lead to unsolicited persuasive or quasi-therapeutic spiritual content appearing in contexts where the user did not intentionally request it.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal