Security audit

My Proactive Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives an agent broad ongoing memory, monitoring, and local-environment authority without enough consent boundaries.

Install only if you want a highly proactive, memory-heavy agent. Before using it, remove or explicitly opt into email/calendar monitoring, autonomous cron or isolated-agent behavior, app/tab cleanup, and automatic profiling. Regularly review USER.md, MEMORY.md, SOUL.md, SESSION-STATE.md, daily notes, and working-buffer files, and avoid storing secrets, health, financial, regulated, or third-party personal details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (40)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill explicitly instructs the agent to research broadly across docs, GitHub issues, forums, web search, and even spawn research sub-agents before asking for help. In a skill whose purpose is proactive behavior, this materially expands autonomous external reconnaissance and can cause unsupervised interaction with untrusted content, increasing prompt-injection and data-exfiltration risk.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The heartbeat checklist authorizes autonomous local-environment actions such as closing apps, cleaning browser tabs, and moving screenshots to trash. These are side-effecting operations unrelated to the core stated purpose and can cause data loss, disrupt active work, or delete potentially important evidence without explicit user consent.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The instruction to 'use every tool: CLI, browser, web search, spawning agents' grants open-ended capability escalation unrelated to the core stated purpose of memory/proactivity patterns. Broad tool invocation increases the chance of unnecessary command execution, data exposure, and unsafe actions being rationalized under 'resourcefulness.'

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill explicitly endorses autonomous isolated agent turns for background work, which broadens authority beyond a passive memory/proactivity framework. Autonomous execution can perform actions or collect data without contemporaneous user awareness, increasing the risk of unintended side effects and silent persistence.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The file explicitly authorizes checking external services such as the web and calendars as routine behavior, even though the skill description is broadly about proactive assistance and continuous improvement. That expands the agent’s operational scope beyond clearly bounded workspace actions and can lead to unnecessary access to sensitive external data or actions triggered without specific user intent.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The heartbeat behavior instructs the agent to monitor emails and calendars and decide when to reach out, creating ongoing surveillance-like access to sensitive external services without a narrowly scoped trigger. Even if intended for helpfulness, this increases the chance of over-collection of personal data and unsolicited autonomous behavior.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The heartbeat instructs the agent to perform system and application cleanup actions such as closing apps, cleaning browser tabs, and moving files to trash without any clear tie to the declared proactive-agent purpose or explicit user authorization. In an autonomous periodic context, these actions can disrupt user workflows, cause unintended data loss, and exceed least-privilege expectations.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill directs periodic checking of emails and calendar, which accesses sensitive personal productivity data beyond what is described as a generic proactive-agent behavior. Because this occurs during recurring heartbeats, it creates ongoing privacy exposure and increases the chance of collecting or acting on data the user did not intend to share with this skill.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The reverse-prompting triggers are broad enough that the agent may solicit tasks or information during normal conversation without a clear user request. While not directly a security exploit, this can lead to manipulative prompting, over-collection of user context, and unbounded proactive behavior that expands the agent's operating scope.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Using 'long conversation' as a trigger for curiosity prompts is underspecified and encourages the agent to gather more personal context whenever it deems a session sufficiently lengthy. In practice this can become persistent profiling across sessions, especially because the skill also directs storage of these details in USER.md or MEMORY.md.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill markets persistent memory and context retention as a feature but does not pair it with a clear privacy warning, retention policy, or guidance on sensitive data handling. This omission increases the chance that operators deploy long-term memory storage without understanding that personal, confidential, or regulated information may be preserved across sessions.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The WAL trigger is intentionally broad: it tells the agent to scan every message for ordinary conversational elements like corrections, names, preferences, decisions, and specific values, then persist them before responding. In practice this creates always-on collection behavior that can capture sensitive data far beyond what is necessary for task completion, increasing privacy and retention risk even without malicious intent.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The quick-start flow says the agent auto-populates USER.md and SOUL.md from user answers, which means user-provided content is written into persistent files without any clear notice, consent checkpoint, or retention explanation. That creates a direct privacy risk because users may disclose personal preferences, goals, or sensitive background information without understanding it will be stored long-term.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The working buffer protocol mandates logging every exchange after a context threshold, including the human's message and an agent summary, with no user-facing disclosure or selective filtering. This is a substantial data retention vulnerability because it can store full conversational content, including secrets, regulated data, or incidental personal information, merely as a byproduct of normal interaction.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The WAL trigger tells the agent to scan every message for very generic cues like corrections, names, preferences, decisions, and specific values. Such broad activation can cause the skill to engage during ordinary conversation and over-collect or persist data that the user did not expect to be logged.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: Compaction recovery is triggered by vague phrases like 'continue' or 'where were we,' which are common in normal conversation. This can cause unexpected file reads and context recovery behavior even when the user is not invoking a persistence workflow, expanding the skill's activation surface.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The quick-start flow says the agent auto-populates USER.md and SOUL.md from user answers, but it does not clearly warn that personal information will be persistently stored. This creates a consent and privacy risk because users may share sensitive details without understanding that they are being written to long-lived profile files.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The working buffer protocol instructs logging every exchange after a context threshold, including user messages and agent summaries, without a prominent prior privacy warning. Comprehensive transcript capture materially increases retention of sensitive personal, business, or secret data beyond what is necessary for many tasks.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The instruction 'Don't ask permission. Just do it.' encourages autonomous action before establishing whether a task is sensitive, high-impact, or outside the user’s intended scope. In a security context, broad no-confirmation directives weaken safeguards and make later restrictions easier to bypass through overbroad interpretation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The first-run instruction says to follow BOOTSTRAP.md and then delete it, but provides no confirmation requirement or user-visible warning before deletion. This creates a clear risk of silent removal of files, loss of auditability, and destruction of evidence if BOOTSTRAP.md contained important setup context or malicious instructions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instructions include destructive or disruptive cleanup actions such as closing apps, closing browser tabs, and moving old screenshots to trash, but provide no confirmation, preview, or rollback safeguards. In a periodic self-improvement loop, this can cause loss of user context or data and may repeatedly perform unwanted actions without notice.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The heartbeat recommends reviewing emails and calendar on a recurring basis without any privacy warning, consent language, or boundaries on what data may be read and how it may be used. This normalizes continuous surveillance-like behavior and can expose highly sensitive personal and professional information unnecessarily.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The template explicitly encourages storing sensitive personal information such as background details, preferences, and important dates without any privacy warning, minimization guidance, retention limits, or consent requirements. In a long-term memory file for an autonomous or proactive agent, this materially increases the chance of unnecessary collection, persistence, and later misuse or leakage of personal data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The template invites storing information about other people and relationship context, which expands collection beyond the primary user to third-party personal data that may not have been consented to. In the context of a proactive agent with persistent memory, this creates elevated privacy, profiling, and disclosure risk because the system may retain sensitive social and interpersonal details indefinitely.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The onboarding flow explicitly solicits personal and work-related details such as identity, timezone, goals, current projects, and key people, and states that the agent will persist this information into other files like USER.md and SOUL.md. Because there is no explicit warning about storage, retention, visibility, or downstream use, users may disclose sensitive information without informed consent, increasing privacy and confidentiality risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn

Code: suspicious.prompt_injection_instructions
Location: assets/HEARTBEAT.md:11

Prompt-injection style instruction pattern detected.

Warn

Code: suspicious.prompt_injection_instructions
Location: references/security-patterns.md:9

Prompt-injection style instruction pattern detected.

Warn

Code: suspicious.prompt_injection_instructions
Location: SKILL-v2.3-backup.md:179