LX Agent Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives an agent broad ongoing authority to read private context, update memory/logs, check calendars/channels, and commit workspace changes without enough scoping or confirmation.

Install only if you want a highly proactive agent and are willing to review its cron jobs, memory writes, local-file access, and repository changes. Before use, require confirmation for git commits, calendar/private-data access, external channel probes, and persistent memory or TOOLS.md updates; also replace the Paolo-specific paths with your own scoped configuration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill directs the agent to read local files such as session logs, workspace memory, and improvement logs, but the manifest shown here does not declare corresponding permissions. Undeclared file-read capability weakens the trust boundary because users and runtime policy may not realize the skill can inspect local data, including potentially sensitive conversation history and metadata.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The description presents the skill as a general optimizer, but the content also prescribes reading session JSONL logs and producing token/cost analytics from local telemetry. That hidden operational behavior expands data access beyond what a user would reasonably infer from the summary, increasing the risk of unexpected collection and analysis of sensitive usage data.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The skill explicitly allows the agent to 'Commit workspace changes' without asking first. Committing is a state-changing action that can persist unintended modifications, expose sensitive material in version history, and interfere with repository integrity even if no immediate exfiltration occurs.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger 'Something discovered user would want to know' is highly subjective and can justify broad unsolicited actions or notifications. In a proactive agent, vague triggers increase the chance of over-collection, unnecessary monitoring, and disruptive or privacy-invasive outreach based on weak inference.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill authorizes several actions without asking, culminating in workspace modification and commits, but does not warn users that repository state may be changed automatically. This creates a consent and integrity problem: an agent could alter tracked files, logs, or memory artifacts without an explicit approval checkpoint.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The guidance explicitly instructs the agent to send a live 'silent message' probe to test whether a channel is alive. Even if framed as operational health checking, this is still an outbound action to an external channel without notice, consent, or clear guardrails on where the probe may be sent, which can create privacy, audit, and unintended-notification risks.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guidance explicitly allows updating persistent artifacts such as memory, logs, and TOOLS.md without asking or notifying the user. Even if framed as routine maintenance, silent modification of persistent state can alter future agent behavior, retain sensitive information, or create hard-to-audit changes the user did not consent to.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill authorizes reading files, searching the web, and checking calendars 'freely' without user notice, but these actions can expose private local content, sensitive schedule data, or trigger privacy-invasive background behavior. In an agent-automation context, normalizing unrestricted proactive access increases the chance of overcollection and unauthorized handling of personal data.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - Just checked < 30 min ago - Task succeeded (success = silent) **Do without asking:** - Read files, search, organize - Execute cron/heartbeat checks - Update memory and logs
Confidence: 86% confidence
Finding: without asking

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal