Ms Todo

Security checks across malware telemetry and agentic risk

Overview

The skill appears coherent and purpose-aligned, with the main caveat that it exposes task deletion without clearly documented confirmation guidance.

Install only if you expect this skill to manage tasks, including deleting them. Before allowing delete_task to run, confirm the exact task being removed and whether deletion is reversible; avoid broad or ambiguous deletion requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly documents a destructive `delete_task` action but provides no warning, confirmation guidance, or caution about irreversible effects. In an agent-driven context, this increases the chance of accidental or unauthorized task deletion through ambiguous prompts or overbroad automation, especially because task management actions are routine and may be invoked without heightened scrutiny.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal