Time

Security checks across malware telemetry and agentic risk

Overview

This skill is a local time-planning helper that writes a scoped markdown timeline and does not show network, credential, hidden persistence, or deceptive behavior.

Install only if you are comfortable running the bundled Node.js CLI. Use it in a project or scratch directory where a time.md file is expected, avoid --force unless you intend to overwrite that file, and do not store secrets in timeline notes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The documentation explicitly instructs use of `init --force` to overwrite `time.md` and `rm -f time.md` to delete files, but it does not prominently warn about data loss or require use of an isolated directory beyond an example. In an agent setting, this can normalize destructive file operations and lead to accidental overwrites or deletions if the working directory or target path is wrong.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal