Intent Guardian

Security checks across malware telemetry and agentic risk

Overview

This is a real focus-assistant skill, but it monitors and stores sensitive desktop activity with privacy controls that are incomplete or not enforced.

Install only if you are comfortable with continuous local desktop monitoring. Keep screenshot capture disabled unless you explicitly need it, avoid cloud vision models on sensitive screens, verify or add working-hours and excluded-app enforcement before relying on those claims, and set retention and file-permission controls for the OpenClaw memory data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (16)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The script contradicts its own privacy claim by writing a full screenshot to disk via mktemp in /tmp before deletion. Even if cleanup usually succeeds, the image exists on-disk long enough to be recoverable through crashes, race conditions, backup/swap behavior, lax /tmp handling, or forensic inspection, which is risky for a tool that continuously watches desktop activity.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This script emits the complete raw screenshot as base64, not a semantic summary, so any downstream component receives all visible on-screen data including secrets, messages, documents, and credentials. In the context of an always-on focus assistant, that broad collection materially increases privacy and data-exfiltration risk because capture is continuous and not scoped to the minimum needed purpose.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README promotes always-on desktop monitoring and mentions optional screenshot analysis, but it does not present a clear, prominent warning that the skill may collect highly sensitive information such as window titles, application usage, and potentially screen contents. Even if processing is intended to stay local, users may enable invasive monitoring without fully understanding the privacy implications, increasing the risk of unintended collection of credentials, personal messages, or regulated data.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The Quick Start directs users to launch background activity sensing immediately, but it does so without a prominent warning that this starts continuous desktop monitoring. That increases the chance a user will enable persistent collection of activity data without informed consent or understanding of what is being observed and logged.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The trigger phrases include broad, natural language terms such as 'what was I doing' and 'track my tasks', which can cause accidental activation in unrelated conversations. In a skill that reads activity logs and infers user behavior, unintended invocation increases the chance of exposing sensitive recent desktop context when the user did not mean to engage the monitor.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill description and early sections do not prominently warn that it continuously monitors desktop activity and may collect window titles, document names, and potentially URLs or screenshot-derived summaries. Because this data can reveal confidential work, personal communications, or regulated information, the lack of upfront disclosure materially increases privacy and security risk.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The description says the skill 'watches your desktop activity' and 'maintains a real-time task stack' but does not define when monitoring starts, what events trigger it, or any user-controlled scope limits. Broad activation language on a skill with desktop-observation capabilities can lead to overcollection, unexpected background surveillance, and user consent failures.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The description explicitly implies continuous desktop monitoring ('watches your desktop activity' and 'real-time task stack') without mentioning opt-in, consent flow, or visibility into collection. In the context of integrations like screen-monitor, personal-analytics, and memory tools, this increases the risk of persistent collection of sensitive behavioral or screen-derived data without informed user choice.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The description states the skill 'continuously monitors your desktop activity' and maintains a 'real-time task stack,' but it does not clearly define when monitoring starts, what exact events are captured, or what user action constitutes consent. Ambiguous trigger scope in an always-on monitoring skill can lead to collection beyond user expectations, creating privacy and policy risks even if the author likely intended a legitimate productivity feature.

Natural-Language Policy Violations

Low

Confidence: 93% confidence
Finding: The manifest explicitly advertises 'continuously monitors your desktop activity' and 'learns your personal focus patterns' without mentioning clear user opt-in, consent flow, or policy justification. Because desktop activity may contain sensitive personal or business information, continuous monitoring without clear consent and boundaries increases the risk of covert surveillance, overcollection, and privacy harm.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill is explicitly built around continuous desktop activity monitoring, app-switch tracking, interruption detection, and behavioral profiling, yet this reference does not pair that capability with clear consent, visibility, or privacy-boundary requirements. In an always-on assistant, that omission is dangerous because it normalizes collection of sensitive behavioral telemetry that could expose work patterns, communications context, and inferred intent without sufficiently explicit user awareness or control.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This guide instructs always-on collection and analysis of recent window activity, task inference, interruption detection, and personalized behavioral profiling, but it does not include any explicit user-facing notice, consent step, or privacy boundary. In the context of a desktop skill that continuously monitors behavior, that omission is security- and privacy-relevant because users may enable pervasive monitoring without understanding the scope of collection, retention, and downstream reminders.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The cron examples automatically delete historical activity data and update a behavioral profile file, but the guide does not warn that these jobs will modify or remove stored user data on a schedule. While less severe than covert monitoring, silent automated data mutation can surprise users, affect auditability, and alter personalized behavior in ways they did not knowingly approve.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script continuously captures and persists foreground application names, bundle IDs, and window titles to a local JSONL log without any in-script consent flow, notice, retention limit, or access control hardening. Window titles frequently contain sensitive information such as document names, URLs, chat subjects, or customer data, so persistent collection materially increases privacy and confidentiality risk if the host is shared or later compromised.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script continuously collects recent desktop window activity, including application names and window titles, and appends it to a persistent local log file without any notice, consent check, retention control, or access restriction. Window titles often contain sensitive information such as document names, chat subjects, URLs, or message previews, so silent collection creates a meaningful privacy and surveillance risk even though the data stays local by default.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script captures and exports screenshot contents with no user-facing notice, confirmation, or runtime indication, which undermines informed consent for highly sensitive desktop data collection. Because the skill is described as always-on, lack of visible warning makes the behavior more dangerous: users may not realize that interruptions, private chats, passwords, or confidential work are being captured for analysis.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal