Tiny Talking Todos

Security checks across malware telemetry and agentic risk

Overview

This is a coherent todo-list CLI skill with disclosed account login, mutation commands, and daemon behavior, but credential export should be handled carefully.

Install only if you trust the external `@ojschwa/ttt-cli` package and intend to connect it to your TinyTalkingTodos account. Avoid `ttt auth export` unless necessary, do not print or log exported credentials, confirm deletes and batch changes before running them, and stop the daemon if you do not want a background connection.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly documents `ttt auth export` to export credentials as environment variables for scripts, but gives no warning that these values are sensitive secrets that can leak through shell history, process listings, logs, CI output, or inherited environments. In an agent skill context, encouraging scripting/export without guardrails increases the chance of accidental credential disclosure or reuse in unsafe contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal