Back to skill

Security audit

Taste

Security checks across malware telemetry and agentic risk

Overview

This recommendation skill has a coherent purpose, but it would scan sensitive email/calendar data and silently self-update from GitHub on a schedule, so it needs review before installation.

Install only if you are comfortable allowing the agent to scan personal email and calendar data, store derived purchase/reservation/travel history locally, and enrich it through Google Maps or web search. Before use, require explicit approval for each scan, limit account/date/source scope, review or delete stored JSONL data, and disable or manually approve the taste:update cron self-update.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that the skill scans the user's email and calendar to extract consumption signals, but it does not mention explicit informed consent, scope limitation, retention controls, or privacy safeguards. Because these sources contain highly sensitive personal and behavioral data, undocumented collection and processing increases the risk of overcollection, misuse, and unauthorized exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup documentation says initialization automatically registers a daily cron job for self-updates, but it does not warn the user that the skill will continue modifying installed code over time. Silent ongoing updates create a supply-chain and integrity risk, especially for a skill that already accesses sensitive personal data sources.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list includes very broad phrases like 'recommend', 'my taste', and 'scan my email', which creates a real risk of accidental invocation in unrelated contexts. Because this skill can access privacy-sensitive sources and perform updates, overbroad activation increases the chance of unintended data access or execution of high-impact actions.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill prominently advertises scanning the user's email and calendar for purchases, reservations, and other behavioral signals, but does not present a strong upfront warning or consent boundary in the user-facing description. This is dangerous because it can normalize broad collection of sensitive personal data without clear informed consent, especially when invoked by ambiguous recommendation-related requests.

Missing User Warnings

High
Confidence
99% confidence
Finding
The self-update workflow downloads remote content from GitHub and copies it over the local skill directory, while stating that it runs silently unless versions change or errors occur. This is highly dangerous because it enables silent code replacement from a remote source without integrity verification, pinning, signature checks, or meaningful user approval, creating a software supply-chain and arbitrary code modification risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs the skill to access the user's email account and Google Calendar and to read full message bodies when needed, which exposes highly sensitive personal and transactional data. Even if intended for legitimate extraction, the absence of explicit consent boundaries, data-minimization rules, retention limits, and privacy handling makes this a real security/privacy vulnerability because the capability is broad and ripe for over-collection.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Persisting extracted records and journals to JSONL files creates a local store of sensitive data such as purchases, reservations, travel details, dates, and identifiers. Without documented safeguards like encryption, access controls, minimization, retention limits, and user disclosure, this materially increases the risk of privacy breach or unauthorized access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to send item names and associated city/location context to Google Maps and web search providers, but it provides no consent, notice, minimization, or privacy-guardrail requirements. Because these identifiers are derived from user activity and preferences, transmitting them to third parties can leak sensitive behavioral and location-linked data and may violate privacy expectations or policy requirements.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad enough to match common conversational requests like recommendations or taste-based suggestions, which increases the chance the skill activates outside the user's specific intent. In this skill's context, accidental activation is more dangerous because the described behavior includes scanning highly sensitive email and calendar data, so a routine recommendation request could unexpectedly invoke privacy-invasive behavior.

Missing User Warnings

High
Confidence
98% confidence
Finding
The description explicitly states that the skill scans the user's email and calendar for reservations, purchases, and bookings, but it does not present a clear privacy warning, consent boundary, or data-minimization statement. Because these sources can reveal intimate lifestyle, travel, health, religion, and relationship patterns, insufficient disclosure creates a serious risk of over-collection and unexpected exposure of sensitive personal data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.