Patrick bot

Security checks across malware telemetry and agentic risk

Overview

Patrick appears to be a legitimate executive-analysis skill, but it asks for very broad company data access and chat-based license handling without enough safeguards.

Review before installing. Use Patrick only with explicitly approved, task-specific company data; do not allow blanket reading of Slack, JIRA, calendars, Git history, or operational files. Avoid pasting the license into chat; configure it through a local secure path if possible. Verify the downloaded CLI and enable cronjobs only after reviewing exactly what they will run and what data they can access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill tells the agent to gather broad company data sources such as Slack, JIRA, calendar events, and operational files before using Patrick, even though that scope exceeds simple expertise retrieval. This creates unnecessary data access and potential exfiltration risk, especially when paired with a remote CLI and server-backed workflow.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The install guide explicitly instructs the agent to solicit and handle a human license credential, which is a sensitive secret not necessary to embed in normal skill behavior. This expands the skill's authority from using an expertise library to collecting authentication material, creating risk of secret exposure in chat history, logs, or reuse outside the immediate install step.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The invocation description is broad enough to match common executive, strategy, briefing, and analysis requests, which can cause the skill to activate in contexts where users did not intend remote tooling, installation, or sensitive data handling. That broad trigger surface materially raises the chance of inappropriate use.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly asks the user to paste a license token into chat for automatic configuration, which encourages disclosure of a credential through a conversational channel. Tokens copied into chat may be logged, retained, or exposed to systems beyond the intended CLI, creating credential leakage and account misuse risk.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The instructions to collect Slack, JIRA, calendar, and company data omit privacy, retention, and sensitivity warnings despite involving potentially confidential and personal information. In a strategic-analysis skill, this omission makes overcollection and mishandling of sensitive enterprise data much more likely.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: These instructions download an executable, write it into a persistent user directory, change its permissions, and modify PATH without clearly warning that local system state will be changed. Even if common for installation docs, agents following such steps autonomously could make unreviewed system modifications.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The skill installation flow extracts an archive and copies files into agent skill directories, which permanently changes the local agent configuration. Without a prominent warning and confirmation step, an agent could install unreviewed code or prompts into a trusted execution context.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide tells users to paste a license credential but does not warn that the value is sensitive and should be handled like a secret. In agent-mediated workflows, this can lead to the credential being exposed in chat logs, copied into tool arguments, or retained in memory beyond the intended use.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill directs the agent to collect broad company data and load it into working memory before use, which is a direct instruction for indiscriminate aggregation of sensitive enterprise information. Because the skill subsequently interacts with remote expertise workflows, this expands the blast radius for accidental disclosure, overprocessing, or downstream prompt leakage.

Ssd 3

Medium

Confidence: 97% confidence
Finding: Requesting that the user paste a license token into chat causes a sensitive credential to be handled in a channel not designed for secret management. Even if intended for convenience, it increases exposure through logs, transcripts, model context, or operator access.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The instruction to use any license already present in a user's message encourages the agent to capture and reuse secret material from prior conversation context. That increases the chance of unintended disclosure, replay, or propagation of credentials beyond the user's immediate intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal