Back to skill

Security audit

FeaturePlanningAutoPilot

Security checks across malware telemetry and agentic risk

Overview

This planning skill is not clearly malicious, but it should be reviewed because it automatically stores conversation-derived lessons and syncs them back into the skill without clear user opt-in or deletion controls.

Install only if you are comfortable with the agent writing planning lessons, preferences, fixes, and reusable prompts into persistent skill files. Avoid using it with secrets, customer data, proprietary prompts, or sensitive project details unless you can inspect, approve, and delete what gets stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is framed as a planning aid, but its instructions expand into execution, validation, and persistent updates to local memory files. This creates a scope mismatch that can cause an agent to take actions and store data beyond what a user would reasonably expect from a planning-only skill, increasing the risk of unintended file modification and privacy violations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill mandates long-term capture of preferences, fixes, and reusable prompts into persistent files without showing a clear necessity for feature planning. Persisting conversation-derived preferences and prompts can retain sensitive or proprietary information and repurpose it in later sessions without the user's informed consent.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation phrases are very broad and overlap with common user requests such as asking for a plan or phased steps. This can cause the skill to trigger unexpectedly in routine conversations, which is more dangerous here because the skill also contains execution and persistence behaviors that a user may not have intended to invoke.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill requires automatic persistence of conversation-derived learnings but does not warn the user or ask for consent before writing them to durable storage. Silent retention of user preferences, issues, and reusable prompts can violate user expectations, leak sensitive information into reusable memory, and create compliance problems.

Ssd 3

Medium
Confidence
96% confidence
Finding
The mandated capture of preferences, fixes, and custom prompts from the conversation can sweep up sensitive project details, internal procedures, or user-specific information into reusable files. Because the memory is intended for future reuse and sync back into SKILL.md, the leakage can persist and propagate across sessions or contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.