Work Buddy

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a benign proactive work-companion skill, with the main caveat that it may check in more often than some users expect.

Install this only if you want a skill that may proactively check in during work sessions. Review its activation wording and disable or narrow it if you prefer explicit invocation only; the supplied signals do not show credential access, destructive actions, or data exfiltration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The description is broad enough that the skill could activate during ordinary work-related conversations where the user did not explicitly ask for proactive companionship. That creates a risk of inappropriate persona injection or unsolicited proactive behavior, especially in systems that auto-select skills from natural-language descriptions.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The 'high-value triggers' include subjective conditions like the user 'seems to be working alone for a stretch' or that a message would 'make the day feel smoother,' which are ambiguous and easy for an orchestrator or model to over-interpret. In context, this increases the chance of unsolicited outreach and overly aggressive invocation of a socially persistent skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal