Todo Sync
Security checks across malware telemetry and agentic risk
Overview
This looks like an unfinished todo-sync skill that asks for broad local file and shell access without explaining how that access is scoped or controlled.
Review this before installing. Only use it from a trusted source, and do not enable broad file or Bash access until the publisher documents the exact WeCom and Feishu permissions, what data it reads or changes, what local files it may touch, and what confirmations happen before syncing or modifying tasks.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
65/65 vendors flagged this skill as clean.