anyone-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is not deceptive, but it can turn private chats, diaries, emails, and social archives into persistent persona files and training datasets with weak consent and cleanup boundaries.

Install only if you are comfortable with the agent reading and locally retaining selected personal files. Use it for yourself or with clear consent from the subject, avoid private third-party conversations unless authorized, redact sensitive details first, review generated persona and training files before use, and delete training/raw, persona-knowledge stores, snapshots, and exports when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill presents itself as a persona-distillation workflow, but it also documents filesystem management, rollback/versioning, runtime installation/switching, SQLite extraction, and training/export pipelines that materially expand what it can do. This mismatch is dangerous because users may consent to a narrow purpose while the skill performs broader data handling and environment-modifying actions than expected.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The optional local model-training chain extends the skill beyond simple persona pack generation into creation of runnable persona models. That expansion increases data-processing scope, persistence, and downstream misuse risk, especially when built from personal communications and other sensitive sources.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The persona-knowledge integration adds persistent storage, semantic search, knowledge graph extraction, and wiki generation over sensitive source material, none of which is clearly surfaced in the main description. This is dangerous because it transforms transient user-provided content into indexed, searchable memory that increases retention, discoverability, and secondary-use risk.

Description-Behavior Mismatch

Medium

Confidence: 80% confidence
Finding: Installing and switching the active persona modifies the local runtime state, which is more invasive than merely generating an output pack. Even if intended as convenience, undisclosed environment-changing actions can surprise users and cause unintended activation of a generated persona.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The trigger phrases are broad and map directly to requests to clone or emulate real people, increasing the chance the skill is invoked in sensitive impersonation scenarios. In context, this is more dangerous because the workflow then solicits private communications and builds portable persona artifacts from them.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The description advertises persona creation from chat logs, documents, and public content but does not upfront warn that the skill may collect, retain, transform, and export highly sensitive personal data. This omission undermines informed consent and is especially risky because users may provide intimate communications, identifiers, or third-party data without appreciating the retention and reuse implications.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The file explicitly recommends using private sources such as chat logs and diaries to build a persona for 'yourself / someone you know' without stating any consent, authorization, or privacy-preserving requirements. In the context of a skill designed to distill real people into portable persona packs, this can enable unauthorized collection and repurposing of sensitive personal data, increasing privacy, impersonation, and misuse risks.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill explicitly directs ingestion of private chat exports, diaries, emails, social archives, and even SQLite message databases, then saves processed copies for persona creation. In this context, the data is highly sensitive and often includes third-party communications, so broad collection and local retention materially raise privacy, consent, and impersonation risks.

Ssd 3

High

Confidence: 96% confidence
Finding: The training export workflow preserves raw source files and derived training artifacts, creating a durable dataset that can be reused for local model training and broader persona deployment. This persistence significantly increases the blast radius of any exposure, misuse, or unauthorized sharing of intimate personal content.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal