Back to skill

Security audit

Tiny Talking Todos

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only todo CLI skill whose account access, mutations, and daemon behavior are disclosed and aligned with managing TinyTalkingTodos.

Install only if you trust the external `@ojschwa/ttt-cli` package and want an agent to manage your TinyTalkingTodos account. Avoid `ttt auth export` unless needed, do not paste or log exported credentials, review delete and batch commands before running them, and stop the daemon if you do not want a background connection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly documents `ttt auth export` for exporting credentials as environment variables but gives no warning about the exposure risks. Environment variables can leak through shell history, process inspection, logs, CI output, crash reports, or inherited child processes, so normalizing this workflow without guardrails can cause credential disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.