Back to skill

Security audit

Causal Inference

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can build persistent logs from broad email, calendar, message, and activity history without enough scoping or retention controls.

Install only if you intentionally want an agent to create a persistent causal log from your activity. Before using it, restrict allowed domains, avoid broad backfills, confirm which local accounts gog and wacli will access, use short date ranges, delete temporary exports, and require explicit approval for purchases, deployments, permission changes, financial actions, and communication-history imports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill embeds shell commands and persistent file writes but does not declare corresponding permissions, which creates a capability/transparency gap. In practice, this can cause an agent or reviewer to underestimate that the skill can read historical data, execute external tools, and persist sensitive logs locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is described as a general causal-reasoning layer, but the content also instructs direct access to Gmail, calendar, and messaging history plus persistent local logging. That mismatch is dangerous because users may authorize a broad planning/analysis skill without realizing it performs sensitive data collection and storage across communication systems.

Vague Triggers

High
Confidence
97% confidence
Finding
The instruction to trigger on ANY high-level action is an overly broad activation condition that can cause the skill to run during routine agent behavior, including sensitive actions unrelated to the user's intent. In context, that broad trigger combines with logging and backfill behaviors, increasing the chance of unnecessary data capture, interference, and privilege overreach.

Vague Triggers

High
Confidence
95% confidence
Finding
The manifest description defines a catch-all scope covering nearly any action with observable outcomes, which makes activation ambiguous and prone to collision with other normal agent operations. Because the skill also proposes data collection and action gating, this ambiguity can expand its operational reach far beyond what a user would reasonably expect from the name alone.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The backfill instructions direct access to historical emails, calendar events, and message history without an explicit privacy warning, consent flow, retention policy, or minimization guidance. This is risky because it can ingest large volumes of sensitive personal or business communications into local files and derived logs, potentially exposing confidential metadata and content relationships.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes derived calendar activity and metadata to a persistent local action log without any user-facing notice, confirmation, or minimization controls. Calendar records can contain sensitive behavioral information such as schedules, recurrence, meeting size, and status, so silently persisting them increases privacy and data-retention risk in an agent skill that operates on user history.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This path fetches calendar contents directly from the gog CLI and writes the raw response to a predictable temporary file in /tmp before processing, without warning the user that sensitive calendar data is being retrieved and stored locally. In a multi-user environment, temporary-file handling and undisclosed local persistence can expose private event data beyond the intended scope of the backfill operation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script directly queries Gmail and processes message metadata and potentially content-linked fields without any explicit runtime warning, consent gate, or minimization controls. In an agent-skill context, this is more dangerous because the skill can silently expand from causal-analysis functionality into accessing private mailbox history, creating privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code derives behavioral data from emails and appends it to a persistent JSONL log without warning at the write site or offering retention controls. In this skill, that increases sensitivity because it transforms communications history into durable activity telemetry that may later be reused, exposed, or correlated beyond the user's expectations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script writes the full WhatsApp export output to a predictable temporary file in /tmp, which can expose sensitive message history to other local users, backup systems, or forensic recovery depending on system configuration. Because this skill processes private communications, persisting raw message data unnecessarily increases confidentiality risk beyond what is needed for backfilling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.