n Skill

Security checks across malware telemetry and agentic risk

Overview

This note-taking skill is coherent, but it asks users to store, sync, and share notes through an unspecified backend without enough privacy or control details.

Review before installing. Use it only for low-sensitivity notes unless the publisher documents the backend, privacy policy, retention and deletion controls, sharing confirmation flow, and how to revoke access to synced or shared notes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The activation description is broad enough that the skill could be invoked for generic requests about notes, organization, or reminders without clear user intent to use this specific skill. In a skill that can sync and share user data, unintended invocation increases the chance of accidental disclosure, unwanted remote actions, or user confusion about where their data is going.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The feature list advertises syncing and sharing notes but does not warn users that note contents may leave the local device, be stored remotely, or be exposed to other recipients. Because notes often contain sensitive personal or business information, missing disclosure can lead users to unknowingly transmit confidential data to external systems or other users.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal