Causal Inference

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks to observe broad user activity and can import sensitive email, calendar, and message history into persistent local logs without enough scope or retention controls.

Install only if you intentionally want an agent to build a persistent causal log from your activity. Before using it, restrict allowed domains, avoid broad backfills, confirm which local provider accounts gog and wacli will use, choose short time ranges, delete temporary exports, and require explicit approval for purchases, deployments, permission changes, financial actions, or communication-history imports.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script directly queries Gmail through an external CLI and ingests mailbox contents into a local causal action log. In an agent-skill context, this expands the skill from causal reasoning into autonomous email data collection, which can expose sensitive communication metadata and content-derived behavioral signals without clear, explicit consent at execution time.

Vague Triggers

High

Confidence: 94% confidence
Finding: Triggering on 'ANY high-level action' makes the skill activate across routine communications, file operations, purchases, deployments, and other sensitive workflows with little constraint. In practice this can cause pervasive interception, logging, or influence over unrelated actions, expanding access to private data and increasing the blast radius of mistakes.

Vague Triggers

High

Confidence: 93% confidence
Finding: The activation language in the 'When to Trigger' section is ambiguous and expansive, combining broad mandatory wording with open-ended examples. That ambiguity makes it difficult to predict when the skill will engage, which is dangerous for a skill that performs historical backfill, persistent logging, and decision support around sensitive actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs collection and storage of historical emails, calendar events, and messages, then writes structured records to persistent memory, but provides no privacy notice, retention policy, or consent flow. Because these sources commonly contain personal and sensitive business data, silent aggregation materially increases confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script persistently writes derived calendar history into a local action log without any consent prompt, sensitivity warning, retention control, or minimization of imported fields. Calendar metadata such as meeting times, recurrence, attendance counts, and creation history can reveal sensitive behavioral and organizational information if the log is later accessed by other tools, users, or processes.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: This code automatically queries calendar history via an external CLI and then imports the results into persistent storage without prominently informing the user that external command execution and bulk data ingestion will occur. In an agent-skill context, that raises the risk of silent collection of sensitive personal or enterprise scheduling data beyond what the user expects.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script appends email-derived activity data to a persistent action log without any user-facing warning, confirmation, or data minimization controls. In a skill that may run within an agent environment, silently converting mailbox history into durable behavioral telemetry increases privacy and surveillance risk, especially if the log is later reused by other components.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: These direct Gmail queries fetch mailbox data without an explicit warning that email history will be accessed and processed. In the context of an agent skill, silent collection from a sensitive source is more dangerous because users may invoke a high-level causal-analysis capability without expecting mailbox enumeration and downstream persistence.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The script silently converts message-history data into a persistent action log, including behavioral metadata such as timing, group status, and inferred response patterns. In an agent skill context, this creates a privacy and consent problem because sensitive communication-derived metadata is retained without explicit notice, confirmation, or minimization controls.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The WhatsApp direct-query path writes fetched message data to `/tmp/wacli_messages.json`, creating local persistence of potentially sensitive conversation history outside the main log path and without disclosure. On multi-user systems or environments with weak temp-file hygiene, this can expose private data to other processes or leave recoverable artifacts after execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal