AI Boss Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a mostly documented executive-assistant template, but it grants and encourages very broad account, browser, local-command, and persistence powers that users should review carefully before installing.

Install only in a sandbox or dedicated assistant workspace first. Use a dedicated Google account where possible, grant only the specific OAuth scopes you need, protect credential and token files, disable or ignore browser-login automation unless you need it, and require explicit confirmation before sending email, sharing files, modifying calendars, pushing git changes, spending money, or submitting forms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (39)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The rules explicitly direct the agent to use low-level tools such as exec/CLI whenever possible, which broadens the action surface beyond a normal executive-assistant role. Even if framed as productivity guidance, this increases the chance the agent will perform unintended system-level actions, especially when combined with the document's strong bias toward acting first and only asking for help as a last resort.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This section authorizes the agent to 'commit and push' changes as background work without asking first, effectively granting autonomous code publication. In a repository-backed environment, that can leak secrets, deploy unsafe modifications, overwrite collaborators' work, or create an attacker-controlled persistence path if a prompt or document influences what gets committed.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The document describes a very broad control surface spanning shell execution, process management, messaging, browser automation, device/media access, gateway administration, and skill installation. For an executive-assistant skill, this materially expands what an agent may attempt and increases the chance of misuse, prompt-injection pivoting, or unauthorized actions across local and external systems.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The file explicitly documents unrestricted local shell execution via `exec`, including running arbitrary commands and opening files or webpages. In an agent setting, exposing general shell access without tight constraints enables command execution, data exfiltration, persistence, environment tampering, and lateral movement if the agent is induced to act on adversarial content.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The documentation includes capabilities for Slack, iMessage, Discord, voice calls, camera capture, media extraction, TTS, and device control that are unrelated to a normal executive-assistant template. This unnecessary breadth increases the blast radius of compromise by giving an agent access to communication channels, surveillance-adjacent functions, and external platforms beyond the stated business purpose.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The skill advertises the ability to install/update skills and access or modify gateway configuration. Those powers effectively let an agent change its own tooling and control plane, which can bypass intended trust boundaries, introduce malicious code or risky integrations, and alter system behavior persistently.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The setup guide broadens the skill from an executive-assistant/Google Workspace use case into general-purpose integrations including browser automation, Slack, Notion, and other extensible services. This increases the operational scope and access footprint beyond what the manifest suggests, creating a capability mismatch that can mislead users about what the skill can do and what permissions it may require.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documented `agent-browser` capability includes logging into websites, filling forms, and retrieving reports, which is a materially higher-risk capability than a typical executive-assistant or Google Workspace helper. Because this enables actions on third-party sites under a user's identity, it can expose credentials, perform unintended transactions, or access sensitive data if users are not clearly informed and protected.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Including a KKTIX ticket-booking browser script template introduces a concrete automation example unrelated to the stated executive-assistant/Google Workspace purpose. This is risky because it normalizes transactional browser automation on third-party services and suggests broader action-taking authority than users may expect from the skill description.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README promotes email, calendar, and document management through Google Workspace integration without clearly warning that the agent may gain access to sensitive mailbox contents, calendar events, and files. In an agent skill context, this omission can cause users to authorize broad access without understanding the privacy and security implications, increasing the risk of unintended data exposure or over-privileged deployments.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The quick start section instructs users to install the framework, clone the templates, and 'train' the AI by reading local files, but it does not warn that this process may expose local project contents and, once connected, Google Workspace data to the agent runtime. Because this skill is specifically designed to create a proactive executive assistant with external integrations, the lack of disclosure makes the setup materially more dangerous by encouraging users to proceed before understanding the access boundary.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The example invocations are broad, action-oriented requests such as checking calendars and drafting replies, but the skill does not clearly constrain when the agent may access external systems, what level of autonomy it has, or what confirmation is required before acting. In the context of an executive-assistant skill with Gmail/Calendar/Drive integration, this can normalize overbroad authority and lead users or downstream agents to perform sensitive actions without explicit consent boundaries.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises Google Workspace automation and externalized memory storage, but it does not present prominent user-facing warnings about access to potentially sensitive email, calendar, drive contents, or the persistence of data into memory files. In an assistant skill intended for routine personal and business workflows, missing privacy disclosures increase the risk of unintended collection, retention, and exposure of confidential information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This guidance explicitly tells the agent to treat short acknowledgements like "OK/好/可以" as authorization to continue without re-confirming scope or risk. In a skill designed for executive-assistant workflows with Gmail, Calendar, and Drive actions, that can cause the agent to perform consequential actions such as sending messages, modifying files, or scheduling events based on ambiguous user input.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Allowing push operations without a user-facing warning or confirmation bypasses an important safety checkpoint for an irreversible external action. Because push propagates changes beyond the local workspace, a mistaken or manipulated action can immediately affect shared codebases, CI/CD pipelines, or public repositories.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document explicitly instructs the AI to conduct a pre-engagement interview that collects account details, work patterns, routines, and important personal dates, then persist that data into profile files, but it does not require notice, consent, minimization, retention limits, or handling safeguards. In an executive-assistant context, this information is highly sensitive and could expose users to privacy leakage, social-engineering risk, and unnecessary long-term profiling if stored or reused improperly.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The example workflow instructs the assistant to write task details and ongoing activity records into memory files without telling the user that their scheduling and decision data will be persisted. Even if the stored content seems operational, routine accumulation of meetings, contacts, and decisions can create a sensitive behavioral history that users may not expect to be retained.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The guide provides operational commands for sending email, creating calendar events, and opening browser links, but does not consistently require explicit user confirmation or warn about privacy/account consequences before performing these actions. In an agent skill context, these are real-world side-effecting actions that can affect external parties, disclose data, or act on the wrong account if invoked too casually.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The guide suggests broad natural-language triggers such as 'help me schedule this' or 'send an email,' which can overlap with ordinary conversation and may cause an agent to initiate high-impact workflows without a strong invocation boundary. In a skill that can send mail and create calendar events across multiple Google accounts, ambiguous triggering materially increases the risk of unintended actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document instructs users to authorize broad Gmail, Calendar, Drive, Docs, and Sheets access across multiple accounts, but it does not clearly warn that this grants the tool the ability to read, modify, and send data on the user's behalf. In an agent skill context, that omission is risky because users may not understand the scope of delegated access or the privacy consequences of connecting personal and work accounts.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Gmail send examples show how to transmit outbound messages from selected accounts, but they do not prominently warn that the command will immediately send email as that account and may reach unintended recipients if misused. In a skill designed to operationalize an AI assistant, this increases the chance of accidental impersonation, data leakage, or unauthorized communications.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The markdown instructs the agent to send emails/messages and perform browser/login automation, but does not require privacy notices, confirmation before external transmission, or warnings about account-impacting actions. In practice, this can lead to accidental disclosure, mis-sent communications, or unauthorized actions on third-party services if the agent follows ambiguous or manipulated instructions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guide tells operators to enable browser automation for website login and form filling without warning about account compromise, privacy exposure, unintended submissions, or sensitive-session handling. In this context, the skill is an assistant expected to act on behalf of a user, so missing safety guidance makes dangerous misuse more likely.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The guide instructs users to place OAuth credentials and API keys on disk and configure them for use, but does not provide explicit secret-handling precautions such as file permissions, secure storage, rotation, revocation, or exclusion from version control. Since these credentials can grant access to email, calendars, files, and external APIs, poor handling can lead to broad account compromise.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The questionnaire explicitly instructs the AI to collect user needs, preferences, work habits, and then create persistent profile files from that data, but it does not require informed consent, data minimization, retention limits, or disclosure of how those files will be used. This creates a privacy and security risk because sensitive operational and personal data may be stored locally in a durable form that can later be exposed, misused, or accessed by other tools or prompts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal