Gifts

Security checks across malware telemetry and agentic risk

Overview

This is a local gift-tracking skill that stores gift notes in a dedicated folder, with privacy considerations but no evidence of hidden or harmful behavior.

Install this if you are comfortable keeping gift notes about yourself and other people in local files under ~/gifts/. Avoid storing highly sensitive details, periodically review or delete old entries, and ask the agent to confirm before saving casual remarks if privacy matters.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill uses broad natural-language triggers like 'user mentions gift idea' and 'user asks what to gift,' which can cause unintended activation during ordinary conversation and lead to unexpected collection or storage of personal information. In this context, the risk is elevated because the skill is designed to persist sensitive relationship data, preferences, birthdays, and gift history to local files.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs creation of a local '~/gifts/' workspace and storage of detailed personal data, including birthdays, sizes, interests, and gift history, without any notice, consent flow, or privacy guidance. This creates a real privacy and data-handling risk because users may not realize sensitive personal information is being written to disk and retained over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal