cultivator修道者

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it acts as an always-on gamified life assistant that persistently profiles ordinary conversations by default.

Install only if you want an always-on gamified diary/task assistant that records conversation-derived state. Keep it limited to its own data directory, avoid using it in sensitive chats or with sensitive images, review cultivator_data.json regularly, and confirm or disable any online search behavior before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill metadata says it is a cultivation-themed guidance tool, but the instructions expand it into an always-on life assistant that records and updates persistent user state. This scope mismatch can mislead users and operators about what the skill actually does, reducing informed consent and increasing the chance that sensitive day-to-day conversations are processed and stored unexpectedly.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The skill adds web/search-engine retrieval to build world settings, which is broader than its stated role as a ring-elder cultivation guide. While not inherently dangerous, unnecessary external retrieval expands the attack surface for prompt injection, unexpected data flow, and capability creep beyond user expectations.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The instructions require shell/date/jq-based system command usage for routine operation even though the skill is framed as a narrative assistant. Invoking system commands and local file reads for every conversation materially increases capability scope and can expose filesystem and environment data or normalize unsafe command execution patterns.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly states that every user question and assistant response will be analyzed, structured, and written to a file, but it does not provide a clear user-facing notice or consent mechanism. This creates a privacy risk because ordinary conversations may be persistently logged and profiled without informed permission.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Describing the skill as a 24/7 life assistant gives it an extremely broad activation scope with little boundary between ordinary chat and specialized skill behavior. This increases the likelihood of over-collection, unintended activation, and silent processing of unrelated user interactions.

Vague Triggers

High

Confidence: 98% confidence
Finding: Requiring daily-task logic to run at the start of every conversation creates automatic behavior regardless of user intent. In context, this is more dangerous because it is coupled to persistent file reads/writes and profile updates, so even unrelated conversations can trigger state mutation and data processing.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The specification mandates writing modified user data to a local JSON file after each conversation, with full overwrite semantics, but does not require user warning or consent. This creates both privacy risk and integrity risk: sensitive derived profile data is stored persistently, and silent overwrites can corrupt or entrench inaccurate personal data.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill requires persistent collection of everything the user asks and the assistant answers, plus structured extraction of entities, relationships, preferences, and other profile data. This is dangerous because it creates a continuously expanding behavioral dossier from normal conversation, with no minimization or consent safeguards.

Ssd 3

High

Confidence: 99% confidence
Finding: Mandating persistent writes of user-derived state after every conversation means profiling is automatic, continuous, and difficult for the user to avoid. In this skill, the danger is amplified by the very broad schema: names, relationships, knowledge, achievements, items, and behavioral streaks are all accumulated over time.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The growth logic requires updating multiple personal profile fields on every interaction, including knowledge gained, skills, happiness, reputation, and task progress. Even if framed as gamification, this is still systematic profiling of user behavior and can infer sensitive habits or traits from routine conversations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal