Back to skill

Security audit

Proactive Agent

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent proactive-agent/memory package, but it grants broad persistent memory, autonomous background work, private email/calendar monitoring, and local cleanup authority without enough user control.

Install only if you want a highly proactive personal-agent workflow and are comfortable reviewing its memory files and automation rules first. Before use, disable or require explicit opt-in for email/calendar checks, autonomous crons or isolated agents, automatic memory capture, and cleanup actions such as closing apps or moving files to trash. Do not store secrets in the memory/profile files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (40)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill explicitly normalizes inspecting tooling files that may contain credentials and running security audits over them, even though the skill’s primary purpose is proactive agent behavior. In practice, this expands the agent’s authority into sensitive-secret discovery and handling, which increases the chance of unnecessary access, retention, or leakage of credentials.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The self-healing section authorizes broad web research, trying many approaches, and spawning research agents without clear scope limits or approval gates. That can cause the agent to access external resources, disclose context to sub-agents, or take actions beyond the user’s intended task boundary.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to use broad execution and orchestration capabilities, including CLI, browser, web search, and spawning agents, under a 'try 5-10 methods' mandate. That materially expands the agent's action surface beyond context persistence/proactivity and can push the agent into unsafe autonomous tool use, especially when tasks are ambiguous or attacker-influenced.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill directs the agent to create a weekly cron job reminder, introducing autonomous scheduled behavior not clearly bounded by consent, scope, or manifest-declared capabilities. Scheduled actions can cause persistent, repeating behavior that continues after the original context has changed and may surprise users or leak information through reminders/check-ins.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill encourages expansive operational behavior beyond its stated role by directing the agent to use broad execution and external capabilities ('CLI, browser, web search, spawning agents'). In a reusable skill, this widens the action surface and can cause the agent to perform risky operations without sufficiently specific task-scoped guardrails.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The autonomous cron/sub-agent section explicitly instructs background agents to perform work without main-session or human attention. That creates a durable autonomous execution pathway, which is risky because it can read/update files or take actions persistently outside immediate user visibility and consent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
These rules authorize broad external-facing activity such as web searching and checking calendars under a general 'do freely' model, which exceeds the narrowly described memory/proactivity function of the skill. In an agent setting, this creates scope creep and increases the chance of privacy-sensitive access or unexpected actions without clear, task-specific consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The heartbeat workflow tells the agent to proactively inspect emails and calendars and decide when to reach out, effectively turning the skill into an autonomous monitor of private communications and schedule data. That is materially broader and more sensitive than simple memory continuity, and it can lead to unauthorized surveillance-like behavior or disclosure of sensitive information.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Instructing the agent to try 5-10 methods and 'use every tool,' including spawning agents, encourages unconstrained capability escalation without task-bound authorization. This can lead to unnecessary data exposure, uncontrolled sub-agent behavior, or actions beyond the user's expectations and the skill's declared purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The heartbeat directs the agent to perform system-level cleanup actions such as closing apps, cleaning browser tabs, and moving files, which exceeds a narrowly scoped 'proactive partner' role and can affect the user's device state. Even if framed as hygiene, these actions can cause data loss, disrupt active work, or normalize broad autonomy over the host environment without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Periodic review of emails, calendar, and projects expands the agent's access into sensitive personal and professional data sources beyond the clearly defined scope of the file. In a heartbeat context, this creates ongoing background surveillance behavior and increases the chance of unnecessary collection, exposure, or misuse of private information.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The opening language encourages the agent to anticipate needs, monitor matters, and create value without being asked, but it does not define strong boundaries for when proactive behavior is appropriate. In an agent with tools, vague triggers can lead to overreach, surprise actions, or operation on sensitive data without a clear request.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill markets persistent memory and self-improvement through saved context, but it does not provide an upfront privacy warning or consent model for long-term storage of user information. This creates a risk of collecting and retaining sensitive personal or business data beyond user expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The onboarding flow directs the agent to write learned information into USER.md and SOUL.md as it gathers context, but it does not require explicit notice or consent before persisting that data. Because onboarding may capture personal preferences, goals, and other sensitive details, silent storage is a meaningful privacy risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The architecture includes a TOOLS.md file that may contain credentials, but the skill does not include strong secret-handling warnings or rules against reading, logging, or retaining those secrets. Referring to credential-bearing files without guardrails increases the chance of accidental secret exposure during routine agent operations.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The WAL trigger language tells the agent to scan every message for many common categories and to stop and persist details before responding whenever any appear. Because corrections, names, preferences, decisions, and values occur in ordinary conversation, this effectively activates on a very large fraction of user messages, creating overbroad behavior and increasing chances of logging sensitive or attacker-planted content.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The compaction recovery trigger includes ambiguous conditions like 'you should know something but don't,' which are too subjective and can cause recovery routines to run unnecessarily. Over-triggering recovery increases unnecessary file reads and persistence behaviors, potentially surfacing private context into active state when not needed.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs persistent logging of user exchanges and preferences but does not pair that with a clear user-facing notice, consent flow, retention limit, or deletion policy. This creates a substantial privacy risk because users may reveal personal preferences, decisions, URLs, IDs, and other sensitive data without understanding it will be stored in long-lived files.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The WAL rule instructs the agent to scan every message for broad categories like corrections, proper nouns, preferences, and specific values, then persist them automatically. This activation scope is so broad that it can capture sensitive or irrelevant information by default, increasing privacy risk and making prompt-triggered state changes easy to induce.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The onboarding flow says the agent will auto-populate USER.md and SOUL.md from user answers, but it does not pair that with explicit privacy notice, minimization guidance, or consent for persistent storage. This can lead to users disclosing personal information without understanding it will be retained in profile files.

Vague Triggers

Medium
Confidence
88% confidence
Finding
'Don't ask permission. Just do it.' broadly encourages autonomous behavior before the agent has established whether the requested actions are privacy-sensitive, irreversible, or outside the user's intent. Even though later sections add some guardrails, this default autonomy increases the risk of overbroad activation and unsafe interpretation of the skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to check emails and calendars during heartbeat handling without a clear privacy warning or explicit consent boundary. Because email and calendar data are highly sensitive, normalizing this access in routine operation can result in unauthorized review of personal or confidential information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to close unused apps and browser tabs without an explicit warning or confirmation flow, allowing modification of the user's active workspace. This can interrupt ongoing tasks, discard unsaved work, and create a harmful precedent where the agent takes destructive UI actions based on its own judgment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Instructing the agent to move old screenshots to trash authorizes file deletion behavior without explicit user consent or review. Age-based or heuristic cleanup is error-prone, and screenshots often contain records, receipts, credentials, or work artifacts that may be important despite appearing old.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template explicitly prompts storage of personal background, preferences, and important dates, which can include sensitive personal data, but provides no privacy guidance, minimization limits, retention rules, or handling safeguards. In a long-term memory file for a proactive agent, this increases the chance that users or agents will collect and persist unnecessary sensitive information that could be exposed, misused, or retained beyond need.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
assets/HEARTBEAT.md:11

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/security-patterns.md:9

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL-v2.3-backup.md:179