Orlando

Security checks across malware telemetry and agentic risk

Overview

This Orlando guidance skill is markdown-only, purpose-aligned, and discloses its optional local memory behavior.

Install if you want Orlando-specific guidance and are comfortable with optional local memory. If you enable continuity, periodically review ~/orlando/memory.md and avoid saving sensitive identifiers, payment details, ticket numbers, insurance IDs, or exact home addresses.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The template explicitly directs the agent to create and update a persistent memory file containing conversation-derived user context such as travel dates, move timeline, budget, family status, commute preferences, and location anchors. This is dangerous because it encourages retention of potentially sensitive personal profiling data without any consent gate, minimization guidance, retention limit, or warning about privacy implications.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The activation guidance is broad enough to trigger on general mentions of Orlando or Central Florida, which can cause the skill to engage outside the user's actual intent. This creates scope creep and unnecessary collection of preference or context data, especially since the skill later discusses persistent memory and ongoing constraints.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal