Events

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a coherent local event-tracking helper that stores event notes on the user's machine, with no evidence of exfiltration or deceptive behavior.

Install this if you are comfortable with the agent storing event details as markdown files under ~/events/. Review that directory before sharing your machine or backups, and ask the agent not to save sensitive events unless you explicitly want them recorded.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation rules are broad enough that ordinary mentions of events or plans could trigger the skill unexpectedly. That can lead to unsolicited collection or organization of personal event information, which is risky because this skill handles sensitive details like schedules, venues, ticket confirmations, and social relationships.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs creation of a workspace in the user's home directory without warning or explicit consent. Automatic filesystem writes in a personal directory can surprise users, create privacy issues, and persist sensitive event data such as appointment details, confirmation numbers, and guest lists on disk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal