Todo List for MacOS

Security checks across malware telemetry and agentic risk

Overview

This is a transparent macOS Reminders helper, with expected local read/write behavior but some care needed around automatic reminder creation and fuzzy deletion.

Install only if you want the agent to control macOS Reminders. Use clear, explicit instructions, and ask it to list matching reminders before completing or deleting items because fuzzy matching may affect the first partial match and changes can sync to other Apple devices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The guidance says that for common phrases like "remind me to...", the agent should directly call the add action instead of first confirming intent. That is an overly broad natural-language trigger for a state-changing operation, and it increases the risk of unintended reminder creation from ambiguous, quoted, hypothetical, or third-party text. In this skill's context, the risk is moderated because the action is limited to the local Reminders app, but it can still cause unwanted data creation and iCloud-synced side effects.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal