Timeline

Security checks across malware telemetry and agentic risk

Overview

This skill locally saves user-requested timeline notes in a Markdown file, including potentially sensitive personal or medical entries, with no evidence of hidden network access or destructive behavior.

Install only if you are comfortable saving timeline entries as plaintext in your local vault. Set VAULT_PATH to the intended location, and avoid logging health, family, or other sensitive details unless you want them retained and searchable by local tools, backups, or other users with access to that vault.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The trigger phrase "timeline" is so generic that normal conversation about timelines can invoke the skill unintentionally. Because this skill persists user-provided content, accidental activation can lead to unwanted storage of sensitive personal or medical information in a long-lived file.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill is explicitly designed to store dated personal facts, including medical events, in a persistent markdown file, but it provides no warning about retention, sensitivity, or who may later access the data. Users may disclose health or family information without understanding it will be durably stored and searchable, increasing privacy and confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal