Back to skill

Security audit

Productivity

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only productivity skill that stores optional local notes and does not show hidden network, credential, or destructive behavior.

Install this if you want a local plain-text productivity system under ~/productivity/. Review any suggested AGENTS.md or SOUL.md routing changes before accepting them, and avoid saving sensitive personal or work details unless you intentionally want them persisted on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The template explicitly instructs creation of a persistent local memory file containing personal productivity information such as constraints, routines, and friction points, but provides no user notice, consent flow, or data-minimization guardrails. Even though the storage is local, this can still accumulate sensitive behavioral data that may be retained longer than expected or exposed to other tools/users on the same system.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation language is broad enough that many ordinary planning or work-related requests could be routed into this skill even when the user did not intend to invoke a dedicated productivity framework. That can cause over-collection of user work context, persistence of sensitive planning data, and unwanted steering toward local file creation or workflow changes.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing snippet defines invocation conditions like planning work, reprioritizing, reviewing commitments, and turning goals into execution without clear boundaries, which are common across many benign interactions. Because it also declares ~/productivity/ as the source of truth, it can bias future agent behavior toward this skill and its stored data in situations where that routing is unnecessary or privacy-invasive.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The SOUL guidance says that when work touches priorities, commitments, planning, or review, it should route through ~/productivity/, which is an extremely common condition in everyday work conversations. In context, this increases the chance of persistent over-routing and unnecessary centralization of personal work data, making the skill more dangerous because productivity topics naturally overlap with many sensitive professional and personal tasks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.