Storytelling

Security checks across malware telemetry and agentic risk

Overview

This is a storytelling helper that keeps disclosed local notes for continuity, with no evidence of hidden execution, network activity, or credential access.

Install only if you are comfortable with local storytelling memory under ~/storytelling/. Avoid putting confidential customer details, unreleased business strategy, sensitive personal stories, or credentials into that memory unless you intentionally want them retained for later sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The setup instructs the agent to store user context so future sessions begin with the same constraints, but it does not require clear user disclosure or consent for cross-session retention. This creates a privacy risk because users may share audience details, beliefs, objections, or preferences without realizing that information is being persisted beyond the current interaction.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The `Internal Notes Policy` directs ongoing retention in `memory.md` of audience assumptions, objections, reusable examples, voice preferences, and past outcomes, yet only mentions minimization and avoiding sensitive data unless explicitly requested. Without a clear disclosure and consent mechanism, this can silently accumulate user-related profiling data across sessions and expose private or strategically sensitive information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal