Roundtable Adaptive

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it may automatically process Discord messages, send discussion content to external services, and retain or reuse sensitive material without clear controls.

Install only if you are comfortable with submitted topics, context, critiques, and summaries being sent to web search, multiple model providers, and possibly Discord. Avoid secrets, regulated data, or proprietary strategy unless you can disable auto-triggering, Discord posting, persistence, and memory reuse, or confirm those controls exist.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The prompt explicitly instructs the synthesis agent to post output to a Discord thread, which contradicts the declared skill behavior of writing results only to the local filesystem. This creates an unauthorized external data egress path: debate content, prompts, and synthesized conclusions could be transmitted to a third-party service without the user's explicit consent or matching manifest disclosure.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The fallback instruction to post to a default configured channel when no thread ID is provided is especially risky because it allows transmission even when the expected destination is absent. That increases the chance of accidental disclosure to the wrong Discord channel and bypasses any safety implied by requiring an explicit thread identifier.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README states that the skill performs web search and persists results to `~/clawd/memory/roundtables/`, but it does not clearly warn users that prompts and potentially sensitive topic content may be transmitted to external providers and stored locally. In a multi-model orchestration skill that may be used for proprietary strategy, architecture, or red-team discussions, this omission can lead to unintended disclosure or retention of sensitive data.

Vague Triggers

High

Confidence: 97% confidence
Finding: Configuring any message in a channel to trigger the workflow is an overly broad activation rule that can cause the skill to process unintended inputs, including sensitive, adversarial, or incidental user content. In this skill, auto-triggering is especially risky because it can launch web searches, fan content out to multiple external model providers, create threads, and persist results without an explicit command boundary.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description does not clearly warn that prompts may be sent to web search and multiple third-party AI providers, which can expose sensitive data to external systems. Because this orchestrator is designed to replicate user content across several services and optionally post results to Discord, missing disclosure meaningfully increases the chance of accidental data leakage.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The prompt causes model output to be sent to Discord without any user-facing warning that content will leave the local environment. In this skill, outputs may include sensitive prompts, critiques, consensus data, or proprietary discussion artifacts, so silent external transmission materially increases privacy and data handling risk.

Ssd 3

Medium

Confidence: 97% confidence
Finding: Auto-triggering on any message in a configured channel can capture user content that was not intended for archival or multi-provider analysis, then store and redistribute it through threads and saved artifacts. The danger is amplified here because the workflow persists outputs to memory and may enrich prompts with web-searched context and multi-model forwarding.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The persistence logic stores raw prompts, synthesized outputs, and scorecard metadata in long-term local memory without any sensitivity classification, minimization, or retention limit. This creates a durable disclosure risk if users submit secrets, personal data, proprietary material, or regulated content, especially in shared workspaces or environments with weak filesystem controls.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Reusing prior roundtable synthesis as prompt context can leak sensitive information from an earlier task into a later one, particularly if the later run involves different participants, providers, or topics. In this skill, the risk is compounded because reused memory may then be forwarded to several external models and posted into Discord threads, expanding the blast radius of any earlier confidential content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal