Back to skill

Security audit

Project Management Guru (ADHD)

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is mostly aligned with ADHD project-management support, but it describes monitoring workplace activity and sending forceful interventions without clear consent, scope, or privacy controls.

Review before workplace use. Treat this as advice-only unless every affected engineer explicitly opts in, monitored data sources are minimized, Slack messages and reminder frequency are configurable, and retention/escalation rules are documented. Avoid the coercive break and physical-intervention language.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The detection criteria rely on ordinary workplace signals such as delayed replies, DND status, deep-work calendar blocks, and concentrated commits, which are not reliable indicators of hyperfocus. This can cause the system to infer a sensitive cognitive or health-related state from ambiguous telemetry and trigger interventions on users who are simply working normally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill proposes monitoring Slack status, commit activity, and calendar blocks without any visible notice, consent flow, or privacy boundary. These sources can reveal behavioral patterns and sensitive work habits, so collecting and acting on them without transparency creates a privacy and trust risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documented integrations with Slack, GitHub, Calendar, and time-tracking systems imply broad access to external platforms but do not describe authorization scope limits, user awareness, or data-handling safeguards. This expands the privacy attack surface and could expose sensitive activity metadata across multiple systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill sends automated Slack DMs to engineers but the markdown description does not clearly disclose this behavior to users. In a workplace context, undisclosed automated messaging can create privacy, consent, and trust issues, especially if task names or deadlines contain sensitive project information and are pushed over an external communication channel.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.