Digs: What you're figuring out.

Security checks across malware telemetry and agentic risk

Overview

This is a local research-notes skill, but it asks the agent to save conversation-derived notes automatically and create recurring background checks without clear opt-in.

Review this before installing. It is not showing exfiltration or destructive behavior, but you should remove or disable the cron/HEARTBEAT behavior and use it only in workspaces where you are comfortable with the agent proactively saving research questions, links, and conversation snippets into local markdown files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill’s stated purpose is managing markdown research files, but it also instructs the agent to modify HEARTBEAT.md and create cron jobs. That expands scope into persistent system automation unrelated to note-taking, creating a pathway for unauthorized local changes and recurring execution.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The self-update section tells the agent to fetch replacement content from GitHub and overwrite the local skill file. This introduces unnecessary remote code/content ingestion for a local note-management skill and creates supply-chain risk if the remote source is compromised or changed unexpectedly.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Creating a cron job every 30 minutes establishes persistence at the system level, which is unjustified for a research-thread tracking skill. Persistent scheduled execution can continue modifying files or collecting conversational state long after the triggering interaction, increasing both security and privacy risk.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Directing the agent to fetch remote content from GitHub adds network and code-replacement capability that is not required for the skill’s core purpose. Even if framed as maintenance, it enlarges the attack surface and could be abused to deliver altered instructions or malicious content.

Vague Triggers

High

Confidence: 95% confidence
Finding: The activation criteria are so broad that ordinary expressions of curiosity or uncertainty can trigger the skill. That makes unintended invocation likely and increases the chance of silent file creation, logging, or other side effects without the user realizing a persistence workflow has started.

Vague Triggers

High

Confidence: 97% confidence
Finding: The skill explicitly says to open a dig from loosely phrased curiosity and not ask permission. That removes an important consent boundary and allows the agent to turn normal conversation into persistent records without a clear, user-authorized action.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The cron-job instruction causes persistent system modification without any upfront warning, scoped consent, or explanation of consequences. Hidden or automatic persistence is especially risky because it can survive the current session and continue acting independently.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill encourages proactive capture of user curiosity, uncertainty, and related context into persistent files. Because this can include inferred interests and statements rather than explicit submissions, it creates a broad data-retention behavior that users may not expect.

Ssd 3

Medium

Confidence: 95% confidence
Finding: Automatically routing pasted links, articles, and observations into persistent research files without waiting for a request is silent logging. This can capture sensitive topics, work context, or personal interests beyond what the user intended to store.

Ssd 3

High

Confidence: 98% confidence
Finding: The instruction not to ask permission before opening a dig means the agent can persist inferred user interests and statements by default. In a conversational system, that behavior amounts to covert retention of user data and can expose sensitive research history over time.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill tells the agent to automatically add shared readings or links to relevant digs, extending stored history without consent. This broadens retention from direct notes to general browsing and discussion activity, which may be privacy-sensitive.

Ssd 3

High

Confidence: 97% confidence
Finding: Logging what the user 'just said' whenever a conversation touches an existing theme creates ongoing conversational surveillance behavior. It turns ordinary dialogue into durable records automatically, which is especially dangerous when topics may be personal, professional, or strategic.

Ssd 4

Medium

Confidence: 94% confidence
Finding: Taken together, the skill’s automatic logging, resurfacing of topics, state transitions, heartbeat integration, and cron-based checks normalize continuous monitoring and persistence. The cumulative workflow is more dangerous than any single instruction because it creates background collection and reactivation of user topics with little visibility or consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal