Back to skill

Security audit

Devlog

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it needs review because it can read sensitive local AI session transcripts and optionally publish derived content online.

Install only if you are comfortable with the agent reading local AI coding transcripts that may contain prompts, code, paths, errors, or secrets. Prefer selecting an exact platform, project, time range, or transcript path; review and sanitize the generated markdown before sharing; do not paste Hashnode tokens into chat; and publish only after confirming the destination and final content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill directs the agent to read local files, inspect environment variables, and execute shell scripts, but it does not declare permissions or clearly communicate those capabilities up front. That creates a trust and review gap: users may invoke a seemingly simple blog-writing skill without realizing it can access local transcript stores and credentials-related state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared description frames the skill as a blog generator, but the workflow also performs broad local session discovery, transcript reconstruction across multiple tools, credential handling, and optional online publication. That mismatch is dangerous because it can lead users or policy systems to approve a content-generation skill that actually has materially broader data-access and exfiltration behavior.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The publishing phase extends the skill from local content generation into external distribution and credential use, which is a materially different risk surface. If invoked carelessly, it can push sensitive transcript-derived content to a public platform using user secrets that were not clearly within the original scope of the skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The manual-discovery instructions authorize scanning broad user home, config, and application-data directories to locate session files. Even if intended to find transcripts, this widens access beyond a narrowly scoped project path and increases the chance of collecting unrelated or sensitive data from other tools and accounts.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script enumerates a wide set of directories under the user's home and then falls back to parsing session tool-call arguments to reconstruct project roots from arbitrary absolute paths. That goes beyond simply listing Gemini session files and can expose unrelated local filesystem structure and sensitive path metadata to the skill, especially since the output includes full session file paths, inferred project paths, and message excerpts.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script advertises a session index with metadata, but it also reads transcript bodies and emits the first and last user messages. That creates an information disclosure risk because operators may run it expecting only file-level metadata while it actually exposes conversation content that may contain secrets, credentials, proprietary prompts, or personal data.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This script performs live publication to Hashnode, which exceeds the stated skill scope of generating blog posts from local transcripts. In an agent skill context, this scope expansion is dangerous because it enables unreviewed external side effects and public disclosure of generated content, potentially exposing sensitive transcript-derived material.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script requires a personal access token and publication ID, then uses them to send content to an external API. Even if intended for convenience, credentialed network publishing is a sensitive capability not justified by the described transcript-to-blog generation purpose, and it could leak private or proprietary content if invoked by an agent without explicit approval.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The tags include broad natural-language phrases such as 'write about what I built' and 'blog about a feature,' which can cause the skill to trigger in contexts where the user did not intend transcript mining or publication behavior. In this skill, accidental activation is more dangerous because the workflow includes local session discovery and optional external publishing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to read local session storage and inspect environment variable availability without a user-facing warning that those sources may contain sensitive prompts, code, tokens, paths, or personal data. This is dangerous because users may not realize the extent of privacy-sensitive material being accessed during what appears to be a writing task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script reads Claude Code session transcripts and includes the first and last user messages in its JSON output, which can expose sensitive prompt text, credentials, proprietary data, or personal information embedded in those messages. In this skill’s context, the purpose is to enumerate and summarize sessions for blog generation, which increases the likelihood that private transcript content is surfaced or reused without explicit consent or redaction.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This script is explicitly designed to read Claude Code session JSONL files and emit conversation text, tool invocations, commands, file paths, queries, URLs, and error snippets to stdout. Session logs can contain secrets, proprietary code context, internal paths, credentials pasted by users, or sensitive operational details, and the script provides no consent prompt, redaction, or warning before disclosure, which creates a real privacy and data-leak risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly directs the skill to read Codex rollout transcripts and also references a global history file containing per-message summaries, but it provides no privacy guidance, consent requirements, data minimization rules, or warnings that these files may contain sensitive user content, secrets, or proprietary project details. In the context of a blog-generation skill that narrates human-agent sessions, this omission increases the risk of over-collecting and exposing private conversation data in generated output.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script parses local Codex session logs and emits the first and last user messages into its JSON output without any user-facing disclosure, consent gate, or minimization. Those messages can contain sensitive prompts, secrets, internal project details, or personal data, and exposing them as routine metadata increases the chance of unintended disclosure through downstream tooling or publication workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions direct the skill to scan broad local development directories and read Gemini CLI session transcripts, which can contain sensitive prompts, file paths, tool arguments, command history, and embedded file contents. Because the document provides no consent boundary, scope restriction, or privacy warning, a skill following these instructions could over-collect unrelated local data and expose private information in generated output.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This script is explicitly designed to read Gemini CLI session JSON files and print conversation content, tool call arguments, URLs, paths, queries, and some error output to stdout. Session transcripts can contain secrets, internal file paths, proprietary code prompts, personal data, or other sensitive context, and the script provides no consent prompt, redaction, or warning beyond basic usage text, which makes accidental disclosure plausible in the devlog/blog-generation context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script traverses local agent session transcripts and extracts user message text without any warning, consent gate, or minimization controls. In the context of a devlog skill that processes AI coding sessions, those transcripts are especially likely to contain sensitive source excerpts, internal paths, API keys, bug details, or other confidential collaboration data, making inadvertent disclosure more dangerous.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to enumerate and read local session transcript files under the user's home directory, including extracting user messages and scanning transcript content. Because these transcripts can contain sensitive prompts, project details, secrets, and private conversations, doing this without an explicit privacy warning, consent check, or minimization boundary creates a real privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script extracts and emits snippets of the first and last user messages for every matched session, which can expose sensitive prompts, credentials, personal data, or proprietary information to any downstream consumer of the JSON output. In the context of a devlog skill that indexes transcripts for later content generation, this increases privacy risk because the disclosure is built into routine session enumeration rather than an explicit, consented export step.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guidance explicitly tells the skill to retain tool-call inputs such as shell commands and file paths from stored transcripts. Those fields can contain secrets, internal paths, access tokens passed on command lines, or other sensitive operational details, and the document provides no warning, minimization, or sanitization requirement before use in generated blog content.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to read and synthesize human-agent transcripts, preserve user messages, and even use current-session context directly. In context, this creates a strong pathway for private prompts, proprietary code discussions, credentials accidentally mentioned in chat, and other sensitive material to be transformed into a blog post or summary, potentially exposing it locally or publicly.

Ssd 3

Medium
Confidence
97% confidence
Finding
The workflow tells the agent to ask the user to provide missing environment-variable values for the current session, creating a natural-language channel for collecting live API credentials. That is dangerous because secrets may be disclosed directly into conversation context, logs, or downstream tools rather than being entered securely through the user's environment.

Ssd 3

Low
Confidence
84% confidence
Finding
Uploading a generated cover image to a publicly accessible URL adds an external disclosure step that may expose metadata or unintended embedded content without an explicit privacy review. While lower impact than transcript publication, it still introduces avoidable outward data transfer in a skill centered on local content generation.

Ssd 3

Medium
Confidence
96% confidence
Finding
This guidance explicitly encourages the agent to mine full transcripts and treat the human's complete session history as source material for publication. In a blogging skill, that creates a strong default path to leak sensitive prompts, architectural details, secrets mentioned in chat, internal errors, and other private collaboration content into externally shared prose.

Ssd 3

Medium
Confidence
97% confidence
Finding
These sections repeatedly instruct the system to transform user/assistant exchanges into publishable narrative, normalizing reuse of raw session content as blog material. Because coding transcripts often contain confidential requirements, debugging artifacts, stack traces, and security-relevant implementation details, this substantially increases the chance of unintentional disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.