Back to skill

Security audit

Morning Routine

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple local morning habit tracker with no evidence of hidden access, network use, or unsafe execution.

Safe to install for normal habit tracking. Use explicit morning-routine phrasing when changing or reviewing habits, and avoid storing personal details in routine history that you would not want kept locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The top-level trigger phrases are broad natural-language expressions like 'start my day' and 'morning habits' that can plausibly appear in ordinary conversation. This can cause unintended skill invocation, letting the skill capture user intent or alter routine data when the user did not explicitly mean to activate it.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The usage examples for starting the routine include short, unconstrained phrases like 'begin my routine' and 'morning routine go' that are ambiguous and easy to match accidentally. In an agent environment, this increases the risk of unintended state changes and confusing behavior because common conversational input could launch the skill without clear user consent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Habit completion phrases such as 'movement done' or 'planning finished' are generic utterances that may naturally occur outside the skill context. If matched globally, they can silently mutate tracked progress and streak data, undermining integrity of local records and causing user confusion or accidental data corruption.

Vague Triggers

Low
Confidence
84% confidence
Finding
Status and history requests like 'what's left' or 'how many days' are broadly phrased and can overlap with unrelated user requests. While generally less severe than action-taking commands, accidental activation can still expose or manipulate routine-related context unexpectedly and degrade user trust in agent behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.