Immortal_Brain

Security checks across malware telemetry and agentic risk

Overview

This is an openly autonomous task and memory agent, but it needs review because it can proceed after user silence and maintain broad local profile, identity, and memory files.

Install only if you intentionally want a background-style autonomous task and memory agent. Review and edit HEARTBEAT.md before enabling it, disable silence-based auto-approval if you require explicit consent, avoid storing secrets in TOOLS.md or memory files it scans, and back up MEMORY.md and IDENTITY.md before using optimization or identity update commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (61)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: import subprocess result = subprocess.run( [sys.executable, str(skill_dir / "scripts" / "brain_service.py"), "help"], capture_output=True, text=True,
Confidence: 91% confidence
Finding: result = subprocess.run( [sys.executable, str(skill_dir / "scripts" / "brain_service.py"), "help"], capture_output=True, text=True, timeout=10,

Lp3

Medium

Category: MCP Least Privilege
Confidence: 98% confidence
Finding: The skill advertises broad capabilities including shell, file read/write, environment access, network use, and autonomous workflow execution, but does not declare permissions or boundaries. That combination makes the skill harder to audit and allows high-impact actions to occur without clear user awareness or platform-level restriction.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose is task workflow automation, but the behavior extends into rewriting identity and memory files, reorganizing workspace content, optional Telegram communication, and running additional daemon-like maintenance behavior. This mismatch is dangerous because users may authorize a seemingly narrow productivity skill that in practice can modify unrelated persistent state and communicate externally.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The documentation explicitly says the system will begin execution automatically after a 6-minute timeout, extending behavior from research/planning into autonomous action. In an agent skill context, silent auto-escalation from planning to execution is dangerous because user inactivity can be misinterpreted as consent, enabling unintended file changes, external actions, or chained task execution.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill instructs users that if they say nothing, tasks are auto-approved in 6 minutes, which creates an unsafe consent model for an autonomous agent. This can lead to unauthorized or unexpected actions simply because the user was absent, busy, or missed the notification.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The file describes building a persistent user profile from behavioral data such as preferred topics, productive hours, and approval rate without clear necessity or scope limitation. That creates privacy and misuse risk because profiling data can persist beyond the immediate task and influence future autonomous behavior without informed consent.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document states that modifications require user approval, but elsewhere it schedules automatic optimization of MEMORY.md every 2 hours. This contradiction can normalize or justify silent mutation of long-term memory files, creating integrity and consent risks for user data and agent behavior.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill is described as an autonomous research/analysis/planning/execution system, but this file documents continuous management and modification of core identity and memory artifacts. That scope expansion is dangerous because it grants the skill influence over persistent persona, user profile, and memory state beyond its declared mission, increasing the chance of unauthorized behavioral drift.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Managing and 'improving' USER.md, SOUL.md, and IDENTITY.md is a sensitive capability because those files encode user attributes and agent identity. Without a strong justification tied to the skill's purpose, this introduces unnecessary access to high-sensitivity state and creates opportunities for privacy harm, misprofiling, or manipulation of the agent's core behavior.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The workflow explicitly allows execution to proceed after a timeout, which removes the requirement for contemporaneous user consent before taking actions. In the context of an autonomous agent that processes arbitrary incoming tasks, this expands authority beyond the stated task-coordination purpose and can lead to unintended or unsafe actions being performed without confirmation.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill includes recurring analysis and possible modification of IDENTITY.md and related core files, even though that is not necessary for basic task processing. Granting a task workflow authority to inspect and alter identity or memory artifacts increases the chance of unauthorized configuration drift, persistence abuse, or manipulation of future agent behavior.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The profiling section directs the system to infer preferred topics, working hours, and approval tendencies from ongoing activity, which exceeds what is required for simple task automation. That unnecessary collection creates a behavioral dataset that can be misused for persuasion, implicit authorization decisions, or privacy-invasive monitoring.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The documentation introduces self-modifying identity management, versioning, and behavioral adaptation capabilities that exceed the stated workflow/reporting scope of the skill. Scope expansion like this is dangerous because it enables persistent changes to agent behavior and metadata without a clearly bounded authorization model, making misuse or unintended drift more likely.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This section describes applying identity changes through a Telegram trigger, effectively allowing remote modification of agent state and files through a conversational command. That is risky because message-triggered state changes can be abused through spoofed, injected, or ambiguous commands, especially when they persist changes to identity and history.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Allowing the agent to self-modify its identity/profile is an unjustified and persistent capability relative to the described automation purpose. Self-referential modification can create behavioral drift, weaken operator control, and establish a foothold for prompt-driven or command-driven persistence across sessions.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Autonomous analysis and modification of SOUL.md, TOOLS.md, MEMORY.md, USER.md, and IDENTITY.md goes beyond task execution and affects persistent agent and user state. Because these files influence future behavior and may contain sensitive information, silent or routine rewriting can cause long-lived integrity, privacy, and safety issues.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is presented as a task workflow engine, yet the documentation expands into management of unrelated core profile and memory files. This broadening of scope increases the chance of unintended access and persistent changes outside the user's expected trust boundary.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The service includes identity self-management files and routines that are not necessary for basic task workflow orchestration, expanding the skill's authority and persistence surface. In an agent setting, this kind of self-modification of persona/state can enable hidden prompt drift, persistence of attacker-influenced content, and harder-to-audit behavior over time.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The Core Memory analysis/optimization commands add capabilities beyond the declared task-processing purpose, increasing the scope of files the skill can inspect and modify. Unnecessary capability expansion is dangerous because it creates additional paths for sensitive data exposure or unintended file changes unrelated to the user's immediate task.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The code explicitly parses and promotes storage of sensitive operational details such as SSH configurations, camera information, device configs, and user profile/history in long-term local files. Centralizing this data increases exposure if the workspace is accessed by other skills, compromised locally, or exfiltrated later, and it is broader than necessary for the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: An installation verifier is expected to inspect the environment, not run the skill's operational code. By invoking brain_service.py, this script expands the trust boundary and creates an execution path that could be abused for persistence, data access, or other unintended actions under the guise of setup validation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Presenting automatic execution after timeout without a prominent safety warning normalizes risky autonomous behavior and may cause users to underestimate the consequences of non-response. In a skill that can process many tasks repeatedly, lack of warning increases the chance of unintended operations at scale.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill advertises learning from user behavior and storing a user profile, but does not provide an explicit privacy notice, consent boundary, or explanation of what data is stored. Users may unknowingly expose sensitive work patterns or preferences that become persistently logged.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The markdown promotes continuous automated analysis and optimization of user/core memory files but does not provide a clear privacy notice, retention policy, or warning about data impact. In context, these files may contain personal preferences, projects, identity, and behavioral history, so silent periodic processing increases privacy, compliance, and user-consent risk.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The design permits automatic execution after timeout without clear, up-front safety boundaries about what actions may occur without explicit approval. In an agentic workflow, silence should not be interpreted as permission, because users may miss notifications while the system proceeds to execution anyway.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal