Fishing

Security checks across malware telemetry and agentic risk

Overview

This is a local fishing log skill that stores fishing notes in a dedicated folder and does not show hidden network, credential, or destructive behavior.

Install this if you want a local fishing journal. Avoid saving exact private fishing spots or license details unless you are comfortable keeping them in ~/fishing, and ask the agent to confirm before logging entries if you want manual control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to update `~/fishing/catches.md` after a user reports a catch, but it does not require notifying the user that a local file will be modified or obtaining confirmation before writing. This creates a silent state-changing behavior on the user's filesystem, which can violate user expectations and lead to unintended persistence of potentially sensitive personal activity data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill directs the agent to continuously track location-specific patterns in `~/fishing/spots.md` without an explicit disclosure that local files will be changed. Because saved fishing spots can reveal sensitive location history and habits, silent writes increase privacy risk and normalize unannounced persistence of user data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal