Skill Logger

Security checks across malware telemetry and agentic risk

Overview

This skill openly implements a shared task-history logger, but it stores detailed task data in cross-session/global locations without enough privacy controls or warnings.

Install only if you are comfortable with detailed task histories being written locally and potentially reused across conversations. Avoid logging secrets, customer identifiers, proprietary audience definitions, or credentials, and prefer an isolated, access-controlled storage path with a clear cleanup process before using it in shared or multi-user environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: Claiming the data is 'local, safe, and reliable' conflicts with the same document's recommendation to store full task histories in /tmp and share them across conversations. That messaging can cause users to underestimate exposure risk and authorize logging of sensitive parameters under false safety assumptions.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The helper returns broad runtime metadata including cwd, home path, workspace-related environment values, Python version, and anchor file contents, which goes beyond the stated purpose of locating a task-history file. In an agent skill context, exposing these details can aid environment fingerprinting, reveal sensitive filesystem layout, and leak storage locations used across conversations or sessions.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The CLI entrypoint prints platform, cwd, home directory, anchor file path, anchor contents, and discovered history file paths to stdout, which can disclose sensitive local paths and persistent storage locations unrelated to ordinary logging. In shared or agent-managed environments, this information can be captured by logs or downstream tools and used to locate, correlate, or tamper with cross-session history data.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The fallback path-detection logic is not read-only: it creates directories and writes a probe file across multiple candidate locations, then persists an anchor file. In a query utility, this side effect can modify host state unexpectedly, touch shared/global directories, and create or overwrite files in locations influenced by environment variables or the current working directory, which increases the risk of unintended data exposure or cross-session contamination.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill advertises cross-conversation shared storage in /tmp without a prominent warning that later sessions may access prior task history. This omission undermines informed consent and can expose data from one user or conversation to another through an intentionally shared global path.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill states it records complete task parameters, detailed operation steps, and results, but does not warn that these fields may contain sensitive user or business data. Persisting such comprehensive logs materially increases the risk of credential, identifier, workflow, or proprietary data exposure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Describing local storage as 'safe and reliable' without noting that /tmp is commonly accessible to other processes is misleading in a security-sensitive context. Users may trust the feature and store confidential task data without understanding the broader access surface.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill explicitly instructs persistent logging of full task parameters and step-by-step operations into storage designed for cross-conversation access. In context, that is a direct data-exposure mechanism because later conversations or other processes can retrieve prior users' detailed inputs and workflows, including potentially sensitive business or personal data.

Ssd 3

High

Confidence: 99% confidence
Finding: Promoting cross-dialog sharing via a global storage location semantically instructs the system to make previous conversation data available to future sessions. This breaks normal session isolation expectations and creates a straightforward avenue for unauthorized disclosure of historical task information.

Ssd 3

High

Confidence: 99% confidence
Finding: Stating as an 'advantage' that new conversations can query all previous task records normalizes and encourages retrieval of historical data outside its original context. In a skill system, this is dangerous because it turns retained logs into a cross-session disclosure channel by design.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The troubleshooting section reinforces that all conversations should automatically share task history, further operationalizing cross-session disclosure rather than treating it as a sensitive optional mode. This increases the likelihood that insecure sharing is deployed and normalized without safeguards.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal