Now Practice

Security checks across malware telemetry and agentic risk

Overview

This appears to be a simple mindfulness practice skill that stores a small local completion history for streak tracking.

Before installing, be aware that completed practice dates, scene names, selected prompt IDs, and completion status may be saved in your browser's localStorage for streak tracking. This is not high-risk data, but users on a shared device may want a way to clear that history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The skill explicitly specifies persisting practice records in localStorage, including date, scenario, completion status, and selected prompt ID, but provides no notice, consent flow, retention policy, or deletion guidance. While this is not highly sensitive data by itself, it still creates a behavioral history on the device that could be exposed to other users of the same browser context or mishandled by surrounding application code.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal