Back to skill

Security audit

UX Researcher

Security checks across malware telemetry and agentic risk

Overview

This is a local UX research helper with disclosed note-taking and activation preferences, and I found no hidden network, credential, or destructive behavior.

Install only if you are comfortable with a local UX research skill remembering product names, research notes, output preferences, and activation preferences. During setup, prefer explicit per-task activation if proactive UX suggestions would be intrusive, and review or delete ~/ux-researcher/memory.md when working with confidential product strategy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill instructs broad, proactive activation for general 'product decisions or UX' work and asks to persist that preference to main memory. This can cause the skill to trigger outside a narrowly scoped user request, increasing the chance of unsolicited intervention and unintended collection or retention of product-related context. In a research-oriented skill, overbroad activation is risky because product discussions often include sensitive business plans, customer assumptions, or internal strategy.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup directs the agent to save information to main memory but does not tell the user that their preferences and context will be persisted. Silent persistence creates a privacy and transparency issue because users may reveal product strategy, customer segments, or other sensitive details without realizing they will be stored across sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly documents saving researched products, insights, and output preferences to a local file, but gives no warning about data handling or consent flow. Because UX research inputs can include confidential product ideas, market assumptions, and potentially sensitive business information, undocumented local persistence increases the risk of privacy violations and unintended data exposure.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.