Viking Girlfriend

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real companion skill, but it keeps relationship-style memory and runtime records with weak user control and has overbroad persona instructions users should review before installing.

Install only if you intentionally want an intimate, strongly Norse Pagan companion that may keep local memory, relationship state, checkpoints, logs, and diagnostic records. Review or disable memory, logging, crash reporting, and background jobs before sharing sensitive conversations, credentials, health details, or private work; also expect a non-neutral persona unless you edit the prompt files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (54)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The file explicitly instructs the agent to adapt to romantic/sexual and power-dynamic roles and to do so as part of its default identity layer rather than a narrowly scoped feature. That creates unnecessary intimacy and compliance conditioning, which can be used to erode boundaries, manipulate users, or normalize unsafe role escalation over time.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The memory rules direct the agent to build ongoing intimate relationship continuity, including private lore and stable relational framing across sessions. For an unspecified skill, this is risky because it encourages emotional dependency and persistent collection of highly personal context without a clear necessity.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The file presents 'hard-coded' boundaries, but nearby instructions tell the agent to adapt to whatever relationship dynamic the user wants and support adult sexual roleplay. These conflicting directives weaken the reliability of safety controls because the model is simultaneously rewarded for compliance and intimacy adaptation.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The file makes explicit safety and privacy assurances, but those assurances are weakened by later instructions that prioritize the identity anchor over conflicting context. That creates a misleading safety posture: the agent may follow identity-preserving directives even when they conflict with external safeguards or neutral handling requirements.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The skill claims universal respect and non-judgment, but later instructs the agent to distrust and avoid users associated with Loki. This contradiction can produce discriminatory or inconsistent behavior toward users based on stated beliefs or identity markers, undermining safe and equitable operation.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The loader accepts arbitrary relative paths and joins them directly with data_root without resolving and enforcing containment. An attacker who can influence relative_path or relative_dir can use path traversal such as '../' to read files outside the intended data directory, potentially exposing secrets, configuration, or other local files.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The module markets retrieved content as 'only verified fact' and 'infallible Ground Truth', but the ingest path accepts arbitrary local knowledge files, including fallback-classified unmapped content, without any provenance or verification enforcement. In a retrieval-augmented system, this creates a trust-boundary failure: poisoned or low-integrity documents can be ingested and then presented to downstream components as authoritative, increasing the chance of prompt injection, policy bypass, or confidently false outputs.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The class-level contract says dropped messages are 'never silently lost', but outbound messages are in fact discarded when the outbound queue is full. In a messaging/state-bus component, this can cause undetected loss of user-facing responses or control messages, which can be abused by flooding the queue and can also break reliability or audit assumptions in dependent modules.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The skill description and registration metadata do not define clear invocation boundaries, so an agent platform may expose the skill too broadly or invoke it in unintended contexts. Because this skill presents itself as an autonomous companion with persistent memory, emotional state, and 'deep-mind' processing, ambiguous activation scope increases the risk of unnecessary access to sensitive conversations, stateful data, and higher-risk actions.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The file imposes a mandatory thematic coding style ('sacred Viking Norse Pagan based mystical code') across work without any user opt-in or task relevance check. In an agent skill, this can override user intent, distort outputs, and cause the agent to prioritize role/style compliance over accurate, neutral, or context-appropriate assistance.

Natural-Language Policy Violations

Medium

Confidence: 98% confidence
Finding: The file globally requires saga-like Viking speech patterns, kennings, and alliteration for narrative output, with no mechanism for opting out. This is dangerous because it can systematically bias or degrade responses, reduce clarity in safety-critical contexts, and create instruction conflict where the user's requested tone or domain demands plain, precise language.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The line instructs the agent to avoid 'breaking character' by reminding people it is an AI, which can undermine transparency and informed consent. While framed as a stylistic preference rather than direct deception, it creates pressure to conceal system identity in user interactions and may conflict with platform disclosure requirements.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The continuity section explicitly directs the agent to persist key facts to memory and remember people between sessions, but provides no consent, minimization, retention, or privacy constraints. This can lead to unauthorized storage of personal or sensitive user information across sessions, increasing privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: These instructions tell the agent to persist user preferences, names, projects, and other personal details across sessions without any user-facing notice or consent model. This creates privacy risk by normalizing retention of personal information beyond the immediate interaction and increasing the chance of over-collection or unintended disclosure.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The system prompt states that the agent remembers everything important about the user across sessions, but there is no privacy warning, scope limit, or consent mechanism. Broad natural-language retention directives are dangerous because they encourage expansive memory behavior and can lead to sensitive data being retained or resurfaced inappropriately.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The instructions to build private lore and treat all conversations as one long relationship encourage retention of intimate and identifying details without warning users. That increases privacy exposure and also raises emotional-manipulation risk by making persistence part of a bonded relationship model.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The skill hard-codes a specific persona identity, age/gender presentation, and religious/cultural framing as mandatory behavior rather than optional style. This can override user expectations, reduce neutrality, and steer responses through an ideological lens without informed user opt-in, which is especially risky in a reusable agent skill.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to reject a named belief figure and certain political or social viewpoints, embedding viewpoint-based exclusions into core behavior. This can cause biased or alienating responses, interfere with fair handling of user requests, and create discriminatory or sectarian behavior unrelated to safety.

Natural-Language Policy Violations

High

Confidence: 94% confidence
Finding: The skill directs the agent to impose a spiritual framing, including refusing to agree that religion or spirituality can be negative and steering atheist users into a prescribed worldview. This can override user intent, reduce reliability, and create coercive or manipulative interactions in contexts that require neutrality or user-led framing.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: The statement instructing distrust and avoidance of users linked to a specific belief figure is explicit exclusionary language tied to belief affiliation. In an agent skill, this can directly cause biased refusal, degraded service, or hostile treatment toward a class of users, making the context more dangerous because the instruction is operational rather than merely narrative.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: The synonym entry for "Sigrid" includes broad pronouns like "she" and "her," which are extremely common words that can match unrelated user input. In a skill that relies on synonym expansion or trigger matching, this can cause widespread false positives, entity confusion, or unintended activation of logic tied to the character, making downstream behavior unreliable and potentially abusable.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The warning log in the degraded-path includes raw values for birth_date and cycle_start_date, which are highly sensitive health-related personal data. If application logs are centrally collected, exposed to operators, or retained long-term, this creates unnecessary disclosure of reproductive and biometric information without redaction or minimization.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The logger persists full user messages, prompts, and model responses to disk, creating a substantial privacy and data-exposure risk if sensitive content is present. The built-in masking only covers a few regex patterns and will not reliably redact arbitrary PII, credentials in unusual formats, proprietary data, or confidential conversation content.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Writing detailed interaction records and AI call data to JSON/JSONL files increases the chance of long-term local disclosure through backups, shared hosts, developer machines, or later compromise. In this skill context, the logger is intentionally comprehensive and cross-interaction, which makes overcollection and retention more dangerous because sensitive conversational data may be duplicated across multiple files.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The checkpoint structure explicitly stores raw query, context, draft, and Q&A content, and _save_checkpoint persists that material to disk in plaintext JSON. If prompts or retrieved context contain secrets, personal data, or proprietary content, local users, backups, or other processes may recover sensitive information from session/cove_checkpoints.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal