Back to skill

Security audit

Daily Standup

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed daily work-summary skill, but it can read sensitive data from connected work accounts when you invoke it.

Install only if you trust MorphixAI and the required plugin. Connect only the GitLab, GitHub, Jira, email, task, and calendar accounts you want included in summaries, and use explicit standup or daily-report prompts to avoid accidental aggregation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad everyday phrases such as “帮我看看今天有什么”, which can cause the skill to activate in contexts where the user did not clearly request aggregation of multiple connected services. Because the skill accesses potentially sensitive work data across code, email, calendar, and tasks, over-broad activation increases the risk of unintended data retrieval and disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to connect multiple sensitive accounts and then aggregates data from email, calendar, task systems, Jira, GitLab, and GitHub, but it does not provide an explicit privacy notice, scope disclosure, or consent reminder at runtime. This is dangerous because users may not realize the breadth of data being accessed and summarized, leading to over-collection or exposure of sensitive business information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.