Auto Dream Light

Security checks across malware telemetry and agentic risk

Overview

This is a small local memory-consolidation skill whose file changes and optional commit behavior are disclosed and aligned with its purpose.

Install if you want an on-demand local memory cleanup workflow. Use it deliberately, review the memory-file diff before accepting or committing changes, and avoid storing secrets in the memory files it scans.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The guide instructs the agent to write target files and commit changes as part of the default execution flow, but it does not require an explicit confirmation step or warn that repository state will be modified. In an agent setting, this can cause unintended persistence of changes or commits from a simple natural-language trigger, especially when users may not realize the action is state-changing.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger phrase "dream now" is short, generic, and plausible in ordinary conversation, which increases the risk of accidental activation of a workflow that writes files and may commit changes. Because this skill's documented behavior performs state-changing actions by default, an ambiguous trigger materially raises the chance of unintended execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal