Forest Cabin Local Mentor

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for finding local cabin-building mentors, but it asks the agent to keep identifiable contact and conversation records without privacy limits.

Install only if you are comfortable with the agent helping maintain local contact and conversation notes. Keep records limited to public or consented information, avoid logging sensitive personal details, anonymize where possible, and delete mentor files when they are no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to create files containing identifiable local contacts and detailed conversation logs, but provides no consent, minimization, retention, or security guidance. This creates a real privacy risk because the agent may collect and persist personal data about private individuals who did not agree to be documented, potentially exposing sensitive relationship, location, or contact information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal