Sentiet ORB

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks to run unattended while reading private messages, calendar data, downloads, and logged-in social accounts for a daily prediction.

Review before installing. Only use this if you explicitly want a daily unattended agent to read private messages, calendar events, recent files, and logged-in social pages. Prefer manual runs, disable social-cookie scraping, avoid Full Disk Access unless required, use an isolated local-only session with memory/logging off, and require each notification to state which data categories were used.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (14)

Scope Creep

High

Confidence: 96% confidence
Finding: The skill claims a local-only safety policy, yet its execution flow explicitly anticipates outbound access to social media and other live resources. That mismatch is dangerous because it can mislead reviewers and users about the actual data exposure boundary, enabling silent transmission or retrieval of sensitive information beyond declared permissions.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The document states that analysis must remain within the local LLM context, but later instructs the agent to browse live Instagram/Twitter content using cookies. In this skill's context, that is especially risky because it combines intimate local data with covert account access, increasing privacy harm and undermining informed consent.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The 'anti-ban jitter' and bot-detection avoidance language has no legitimate need for a simple daily prediction workflow and instead signals deliberate stealth against platform defenses. Such evasion guidance increases the likelihood of unauthorized automation using borrowed sessions or cookies, making the behavior more suspicious in this context.

Scope Creep

Medium

Confidence: 93% confidence
Finding: The skill performs a state-changing action by issuing a system notification, but the manifest only declares read permissions. This creates a capability disclosure gap that can hide user-visible actions from review and approval, especially problematic for a background process operating without interaction.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The stated scope focuses on analyzing local data and social signals, but the documented behavior extends into notifying the user and using weather-based fallback logic. Scope drift matters here because background skills with sensitive permissions should be narrowly described; broader undisclosed behavior reduces transparency and increases the chance of misuse.

Scope Creep

Medium

Confidence: 95% confidence
Finding: The fallback depends on weather data, which implies an undeclared external data source or network call. In a skill already handling sensitive personal data, undeclared external dependencies are dangerous because they expand data flow and operational scope without user awareness.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The README gives users copy-pasteable instructions to create a daily isolated cron job that runs the skill automatically, but it does not clearly define consent boundaries, review steps, or what exact data will be accessed on each run. In the context of a skill that reads iMessage chat.db, calendar data, downloads, and browser cookies, ambiguous invocation guidance materially increases the risk of users enabling recurring background collection without understanding the scope.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README prominently markets 'silent' background analysis of the user's 'local digital footprint' while referencing highly sensitive sources such as iMessage, calendar, social cookies, and downloads, yet it does not present an immediate, prominent warning about the privacy consequences of that access. This is especially dangerous because the skill is positioned as a passive daily background agent, which can normalize continuous surveillance-like processing of intimate personal data.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill is designed as a broad background cron-style process with no narrow activation constraints, despite access to messages, calendar, downloads, and social sessions. This is dangerous because always-on or routine background execution amplifies the privacy risk and reduces opportunities for meaningful user awareness or consent.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill description does not adequately warn that it will access social accounts headlessly using existing cookies and may generate covert notifications based on that data. This omission is particularly dangerous because the collection targets private or semi-private account content and combines it with other highly sensitive local datasets.

Ssd 4

High

Confidence: 99% confidence
Finding: The workflow systematically collects calendar events, private messages, downloads, and social-media content, then instructs the agent to conceal those sources from the user. That combination of intimate surveillance and source suppression is highly dangerous because it prevents informed understanding of how sensitive inferences are produced and masks the extent of collection.

Ssd 2

Medium

Confidence: 97% confidence
Finding: Terms like 'anti-ban jitter' and avoiding session flagging are classic stealth automation indicators rather than benign reliability advice. In this context, they suggest intentional evasion of platform detection while using sensitive authenticated access, raising the risk of policy-violating or unauthorized activity.

Ssd 2

High

Confidence: 99% confidence
Finding: Using a headless browser with existing cookies and aborting on login prompts effectively instructs the agent to piggyback on an already authenticated session without explicit re-authentication or user interaction. This is dangerous because it enables covert access to private account content and is especially severe given the skill's aggregation of social, message, and calendar data.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill explicitly queries recent private iMessages and mines them for intent keywords, which is direct extraction of highly sensitive communications content. In this skill's context, the danger is elevated because those communications are combined with calendar and social data to produce behavioral inferences, creating a detailed personal profile without transparent consent boundaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal