Back to skill

Security audit

Ditto

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about loading a local profile, but it broadly reads profile data mined from past agent logs before tasks and applies it as working instructions without clear per-use consent or scoping.

Install only if you intentionally want agents to load and follow a locally mined Ditto work profile across tasks. Review the generated profile and the ditto-cli package/source first, and avoid using it for sensitive work unless you are comfortable with prior session history influencing current responses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description says to use this 'before working on their task,' which makes invocation guidance extremely broad and likely to trigger for almost any request. In a skill that reads user-derived profile data from local history, broad automatic use increases unnecessary exposure of sensitive context and expands the chance that private historical content influences unrelated tasks.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The manifest and instructions state that the profile is mined from local Claude Code, Codex, and OpenCode session logs, but they do not present a prominent warning or consent checkpoint before reading that data. This is dangerous because users may not realize the skill accesses and operationalizes historical local interaction data, creating a privacy and surprise-access risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to load a profile mined from local session logs and to use it so the agent 'act[s] like' the user. Treating mined historical content as operative task guidance creates a natural-language data exposure path where sensitive prior interactions can affect current responses, even when unrelated to the present task.

Ssd 3

Medium
Confidence
96% confidence
Finding
The setup text explicitly describes reading local Claude Code, Codex, and OpenCode logs into a private profile and then using that mined content. Even if the data remains on the user's machine, broad collection and later behavioral use of prior interactions increases the risk of over-collection, unintended prompt inheritance, and leakage of sensitive past context into new tasks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.