Acoustic Guitar

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward acoustic guitar practice helper that stores optional progress notes in a narrow local folder.

Before installing, expect the agent to create a local `~/acoustic-guitar/` folder and use it for practice logs. Review or confirm what gets saved, especially if casual practice discussion triggers a logging prompt, and avoid putting unrelated personal information in the notes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to create `~/acoustic-guitar/` on first interaction without explicit user consent. Even though the action is low risk and aligned with the skill’s stated purpose, it still performs a filesystem side effect in the user's home directory unexpectedly, which violates least surprise and could normalize unauthorized file operations.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The logging triggers are broad enough to activate on ordinary conversation about practicing, struggling, or learning songs, which can cause the skill to solicit or record progress outside clear user intent. In a journaling-style skill this creates a real privacy and consent issue, even if the data is low sensitivity and the author likely intended helpful reminders rather than covert collection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal