Burnout Recovery

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent and not deceptive, but it asks the agent to persist sensitive burnout and work-life recovery details and write a local file without clear user opt-in or deletion controls.

Review before installing. Use it only if you are comfortable with the agent keeping burnout assessments, work boundaries, recovery notes, and reflections across sessions. Consider telling the agent to ask before saving files, keep data session-only unless you opt in, and delete reminders, notes, and stored state when you are done.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs the agent to write customized boundary scripts to a file in the user's home documents directory without requiring explicit user confirmation at the time of the write. Even though the content is not inherently dangerous, silent filesystem writes can violate user expectations, create privacy issues for sensitive mental-health-related content, and normalize actions that modify local state without consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal