Gratitude

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local gratitude journal skill, with privacy-relevant local storage but no evidence of hidden or harmful behavior.

Install this only if you are comfortable saving gratitude journal content locally in ~/gratitude/. On shared, backed-up, or synced devices, treat that folder as private and periodically review or delete entries you do not want retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly creates a local `~/gratitude/` workspace and stores highly personal reflection data, including names, relationships, habits, and emotional state, without any stated notice, consent, or retention controls. Even though the feature is core to the skill, silent persistence of sensitive journaling content increases privacy risk on shared devices, synced home directories, backups, or systems monitored by other software.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Using the single broad trigger phrase `gratitude` can cause accidental invocation during normal conversation, which may prompt the skill to steer the interaction or begin logging sensitive personal content unintentionally. In a journaling/privacy-sensitive skill, overly generic activation is more concerning because a mistaken trigger can result in collection or storage of intimate reflections the user did not mean to record.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal