Back to skill

Security audit

timer

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local timer skill with disclosed background execution and no evidence of hidden data access or unsafe behavior.

Install only if you are comfortable with each timer running a local background Node process and, on macOS, playing a system sound when complete. Use the documented process controls to check or cancel timers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill documentation claims a specific background-notification behavior, but the finding indicates the actual implementation behaves differently: it may run interactively, play local audio, and fail to emit the promised reminder notification. This mismatch is dangerous because agents and users may rely on the documented behavior for asynchronous reminders, causing silent failures, unexpected local side effects, or incorrect automation decisions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
timer.js:102