Subscriptions

Security checks across malware telemetry and agentic risk

Overview

This is a simple local subscription tracker whose privacy risks are expected for its purpose and should be handled with care.

Reasonable to install if you want a local subscription tracker. Do not store full card numbers, passwords, account credentials, or billing documents; use masked payment labels only, and review whether your home directory is backed up or synced before adding private subscription details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger rule "User mentions subscription → add to tracker" is overly broad and can activate on casual conversation rather than an explicit user request to use the skill. That can lead to unintended collection or storage of personal financial information, especially because the skill is designed to persist data in local files.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs creation of `~/subscriptions/` automatically without indicating any user notice, consent, or confirmation. Because the tracked content includes sensitive billing details and partial card information, silently creating local storage increases privacy risk and may persist sensitive financial data unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal