Coffee Debugger

Security checks across malware telemetry and agentic risk

Overview

This skill is a low-risk coffee recommendation prompt that uses conversation context and the current time, with no evidence of hidden data access or persistence.

This appears safe to install if you want casual coffee recommendations in coding sessions. Be aware it may activate on broad phrases about tiredness or needing energy, and keep shell access constrained so its Bash use remains limited to checking the current time.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The README advertises broad natural-language triggers such as being tired, needing a coffee recommendation, or needing a boost, which can easily overlap with normal conversation in a coding session. That raises the chance of unintended invocation, causing the skill to activate when the user did not explicitly request it and potentially shaping responses or collecting contextual signals unexpectedly.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger description is broad enough to match common conversational phrases like wanting coffee, energy, or feeling tired, which can cause the skill to activate outside a clearly intended coffee-recommendation context. This is not a code-execution issue, but it can lead to unwanted invocation, user confusion, and accidental disclosure of conversational context to a skill the user did not explicitly mean to use.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal