Security audit

Task Weight Manager

Security checks across malware telemetry and agentic risk

Overview

This is a coherent focus-management skill that may keep local task notes, but it does not show hidden data access, exfiltration, or destructive behavior.

Install this if you want the agent to actively manage focus across several topics in one chat. Expect local markdown notes if persistence or bootstrap is used, review those files before committing or sharing a workspace, avoid storing secrets in thread notes, and be explicit when you want priorities changed or the skill disabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill instructs the agent to maintain persistent state in `task-weight-manager/threads.md`, which implies file-write behavior, but no explicit permission declaration or user-facing consent mechanism is present. Undeclared write capability increases the risk of silent workspace modification and makes the skill's operational footprint less transparent than its metadata suggests.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The declared purpose is conversational prioritization, but the skill also directs persistent workspace modification via a thread board, which is a materially different behavior from in-memory conversation management. This mismatch can cause users to invoke the skill expecting lightweight assistance while the agent writes files and potentially stores sensitive conversation context without informed consent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation description is broad enough to match many normal chats involving multiple topics, which can cause the skill to trigger unexpectedly and apply persistence or steering behavior outside the user's intent. Overbroad activation increases the chance of unnecessary data collection, unwanted behavioral overrides, and accidental workspace writes.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The introductory guidance says to use the skill when a conversation contains multiple strands of intent, but does not require a clear user request or consent threshold. In context, that ambiguity is more dangerous because the skill can steer responses, classify user topics, and persist them to disk, changing agent behavior in ways the user may not expect.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill directs the agent to persist conversation thread data to `task-weight-manager/threads.md` without an explicit warning that user content may be stored in the workspace. Because the board includes titles, goals, evidence, and next actions derived from conversation turns, it may capture sensitive or proprietary information and leave a durable local record the user did not anticipate.

Natural-Language Policy Violations

High

Confidence: 77% confidence
Finding: The response contract and examples bias the agent toward Chinese output without checking the user's language preference. While this is not a direct security exploit, it can impair user comprehension of status, parking, or persistence notices, which weakens informed consent and can indirectly increase the risk of unnoticed file storage or task steering.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Enabling implicit invocation without trigger constraints allows the skill to activate on broad, ordinary conversation-management requests, potentially taking over routing or shaping user interactions when not explicitly requested. In this skill's context, the behavior is especially overlap-prone because 'manage threads', 'reduce distraction', and 'steer attention' are generic assistant functions that could be invoked unexpectedly and influence conversation flow.

Vague Triggers

Low

Confidence: 84% confidence
Finding: The default prompt defines broad conversational control behavior that overlaps with normal assistant capabilities, increasing the chance that the skill will be selected for routine chats rather than specialized cases. Because this skill is designed to prioritize topics and suppress distractions, unintended activation could subtly bias responses, de-emphasize user-raised side issues, or incorrectly persist a 'mainline' objective.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal