Back to skill

Security audit

workspace-manager

Security checks across malware telemetry and agentic risk

Overview

This workspace manager mostly does local cleanup as advertised, but its default full pipeline can also upload broad workspace and configuration files to Google Drive without a separate confirmation step.

Review before installing. Run specific local steps rather than --all if you only want cleanup or organization, and do not rely on --dry-run as a complete preview. Avoid installing/authenticating gog for this skill unless you explicitly want Workspace_Human and core agent/user context files uploaded to Google Drive; disable sync or edit the config first if you proceed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The changelog documents a Google Drive sync feature for a skill described as local workspace management, which expands the trust boundary from local file organization to external data transfer. In a file-management skill, undocumented or under-scoped remote synchronization can expose workspace contents, including sensitive human or agent data, to third-party services if enabled.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Remote cloud synchronization is context-sensitive and materially riskier than ordinary workspace cleanup because it can transmit local contents off-host. In the context of a workspace organizer, this is more dangerous because users may reasonably expect only local filesystem operations, not external exfiltration paths via a sync CLI.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest frames the skill as local workspace management, yet the pipeline includes cloud synchronization of workspace contents to Google Drive. This expands the trust boundary from local file hygiene to remote data transfer, introducing confidentiality and compliance risk that is not clearly signposted by the skill identity.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
A network/cloud-sync capability is not necessary for the core task of organizing folder structure, so its presence materially increases risk without clear justification. Because the synchronized scope includes broad workspace content, misuse or accidental invocation can leak private user files, agent artifacts, and internal operating context.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The pipeline explicitly defines a cloud sync step to Google Drive even though the skill description frames the capability as local workspace organization and maintenance. That mismatch can lead users or higher-level orchestrators to invoke the skill expecting only local file operations while the script introduces external data transfer capability, increasing data exposure risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This code executes the external sync script as part of the main pipeline, so workspace contents may be transmitted off-host during a routine maintenance run. Because sync is bundled with the default '--all' flow and only loosely described as optional in comments, users may not realize that local maintenance also triggers remote backup behavior.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This script performs outbound synchronization of workspace contents and sensitive core files to Google Drive, which materially exceeds the declared purpose of local workspace organization and maintenance. Even though the feature is marked optional and checks for gog authentication, it still creates a data exfiltration path for potentially sensitive human, agent, and configuration data without clear user consent or tight scope restrictions.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The gog availability/authentication checks gate execution, but they also confirm readiness to transmit data to an external cloud service unrelated to the stated workspace-management function. In this skill context, adding an external sync capability increases danger because the workspace may contain sensitive project data and identity/configuration files, making unauthorized or unexpected off-host transfer a significant confidentiality risk.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger language is broad enough that normal conversation about a messy workspace or organizing files could activate a skill that performs destructive or privacy-impacting operations. In context, this is more dangerous because the skill can reorganize, archive, clean, and optionally sync data, so accidental invocation can cause unintended file movement or remote disclosure.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script emits a ready-to-run cleanup command with an `--execute` flag immediately after a health report, but provides no warning that the follow-up action may change or delete workspace contents. In the context of a workspace-management skill, users may reasonably trust and copy-paste the recommendation, creating a risk of unintended destructive actions without informed consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The orchestrator defaults to running organize, clean, and archive actions with no interactive confirmation or top-level warning, despite these steps performing file-moving and potentially destructive workspace modifications. In an agent-skill context, this is dangerous because an automated caller may invoke '--all' or omit arguments and unintentionally alter or remove user data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The sync step can transmit workspace data to Google Drive without a clear execution-time warning or consent prompt. In the context of a workspace-management skill, unexpected outbound transfer is more dangerous because users may reasonably expect housekeeping behavior, not data exfiltration to a third-party cloud service.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documentation explicitly states that broad workspace contents, including human files and core configuration, may be copied to Google Drive. Even though labeled optional, this creates a significant confidentiality risk because highly sensitive material such as workspace data and agent memory/config files could be transferred to an external cloud account once the required CLI is authenticated.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.