Back to skill

Security audit

Adhd Assistant

Security checks across malware telemetry and agentic risk

Overview

This ADHD planning skill is not malware, but it needs review because it can persist sensitive health-adjacent details without clear consent or deletion controls.

Install only if you are comfortable with an ADHD-focused assistant storing personal routines and possible health-related context. Before using it, limit memory for diagnosis, medication, therapy, emotional triggers, and reminder channels unless you explicitly want those saved, and confirm any file write or recurring reminder before it is created.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly proposes storing sensitive mental-health-related preferences, treatment context, routines, and task data in memory/files without a clear user-facing notice, consent flow, retention policy, or minimization guidance. In this context, the data includes ADHD status, suspected diagnosis, treatment information, and emotional patterns, so silent persistence could expose highly sensitive personal information or create privacy harm if accessed by other tools, users, or logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.