Pi Workflow Orchestration

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a local workflow helper that keeps task and lesson notes, with no evidence of exfiltration or destructive behavior.

Reasonable to install if you want persistent local workflow notes. Before using it, know that it may create or update task, lesson, error, and feature-request files and may inject a session reminder; review those files periodically and do not let secrets, credentials, or sensitive project details be written into them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill directs the agent to read and write multiple workspace files such as `tasks/todo.md`, `tasks/lessons.md`, and related logs, yet the manifest does not declare those capabilities. Undeclared file access is dangerous because it hides side effects from users and policy systems, making unexpected workspace modification or data capture more likely.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The skill is presented as a general workflow and quality framework, but the concrete actions it specifies include persistent self-improvement logging, workspace-to-repository lesson syncing, and startup hook injection. That mismatch is risky because users may invoke it for innocuous planning while unknowingly enabling persistent file writes, repository changes, or bootstrap behavior not clearly conveyed by the description.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The activation guidance is broad enough to match many ordinary development requests, which can cause the orchestration skill to engage by default in situations where the user did not explicitly ask for planning, memory updates, or workflow enforcement. In an agent setting, over-broad triggering increases the chance of unnecessary file creation/modification, persistent state updates, and workflow behaviors being applied outside the user’s intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README promotes autonomous bug fixing and persistent updates to task and memory files, but it does not warn that these actions can alter repository contents or retain user/project information. In practice, this can lead an agent to make unsolicited code changes, write persistent notes, or store sensitive context in files without informed consent or clear boundaries.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation cues are extremely broad, such as using the skill for 'ANY non-trivial task' or general project starts, which could cause it to activate in many normal conversations. Over-broad triggering increases the chance that the agent will begin writing plans, logs, or lessons into the workspace without the user specifically asking for those side effects.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to write several workspace files automatically, including planning, lessons, error logs, and feature requests, without warning or consent flow. Silent persistent writes are dangerous because they can overwrite user content, leak sensitive operational details into files, and create durable state the user did not intend to store.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill uses a very broad trigger, telling the agent to enter plan mode for 'ANY non-trivial task' without defining scope, limits, or exceptions. In an orchestration skill, this can cause over-activation and unnecessary workflow takeover, increasing the chance the agent applies this behavior in contexts where the user did not ask for planning or where other safer instructions should take precedence.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to write to persistent files like tasks/todo.md, tasks/lessons.md, memory logs, and MEMORY.md as part of normal operation, but it does not require user awareness or approval before changing project documentation. This creates a risk of unauthorized state persistence, silent modification of repo files, and accumulation of agent-generated instructions that may influence future behavior or pollute the project history.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal