decision-log

Security checks across malware telemetry and agentic risk

Overview

This skill is a small, instruction-only decision journal that saves local decision notes and metadata as described, with some privacy considerations from persistence and broad triggers.

Install only if you are comfortable with decision content being saved locally and decision titles/file paths being emitted as local event records. Avoid logging secrets or highly confidential decisions, and check whether the 30-day review mechanism is actually scheduled in your environment and how to remove it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger phrase "why did I do this" is broad, conversational language that can easily appear in normal user dialogue without an explicit intent to invoke this skill. In a skill that writes decision records to disk, accidental activation can cause unintended persistence of sensitive reasoning, plans, or personal/project details.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill describes automatic recording and event publication but does not warn users that their decision content will be written to disk and emitted to an event file. Because decision logs often contain rationale, alternatives, and operational context, silent persistence increases the risk of storing sensitive or confidential information without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal