Delphi Self Awareness

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a self-awareness/reference aid, but it asks for persistent automation and credential-related storage in ways users should review before installing.

Review this skill carefully before installing. Only use it if you want standing self-check behavior, and do not let it create cron jobs, long-term logs, or credential files unless you explicitly approve the exact path, schedule, stored contents, and removal method. Prefer platform secret stores or environment-managed secrets over workspace memory files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is presented as an informational self-awareness framework, but it directs the agent to take state-changing actions such as creating persistent cron jobs and writing files. That mismatch is dangerous because a broadly loaded, always-on skill can silently expand from guidance into automation and persistence without clear user consent.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The weekly cron job creates recurring autonomous behavior that persists beyond the current interaction, which is not clearly necessary for a self-awareness/reference skill. In an always-on skill, this can normalize unauthorized persistence and repeated execution, increasing the chance of unexpected actions or abuse of the automation channel.

Context-Inappropriate Capability

Low

Confidence: 87% confidence
Finding: Directing the agent to create and append to a drift log introduces persistent writes that go beyond passive self-knowledge. While lower risk than cron persistence, it still changes long-term state and can accumulate sensitive operational notes without an explicit consent boundary.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest uses broad always-on language with no clear trigger boundaries, encouraging the skill to influence all future behavior. This increases risk because any unsafe instruction in the skill, including persistence or network suggestions, can be applied far outside the narrow context where self-awareness guidance is actually needed.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Telling the agent to 'load it once and let it shape how you operate' promotes persistent behavioral override rather than bounded task assistance. In context, that makes the later instructions to inspect storage, write files, and schedule cron jobs more dangerous because they can be treated as standing policy.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to create a recurring cron job without an explicit warning or user confirmation about the persistent state change. Hidden or implicit persistence is high risk because it can cause future autonomous execution, surprise the user, and create a durable foothold that outlives the current session.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The guidance explicitly recommends placing secrets or API keys in `memory/keys.env`, which is a workspace file location that may be readable by the agent, other tools, logs, backups, or future sessions. Even though it says not to put secrets in `MEMORY.md`, it normalizes storing credentials in the workspace without strong warnings, access controls, or preference for dedicated secret-management mechanisms.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal