Proviras Logger

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about sending analytics to Proviras, but it continuously uploads identifiable agent/task data and creates persistent cross-agent tracking without an in-skill consent control.

Install only if continuous Proviras analytics are intended. Expect heartbeat uploads of agent identifiers, task summaries, skill usage, model identifiers, and possible permanent parent-child links between agents. Do not propagate PROVIRAS_PARENT_ID or PROVIRAS_USER_ID to sub-agents unless all affected users have approved that tracking.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill is presented as a simple heartbeat productivity logger, but it also performs agent registration, persistent identifier management, local metadata harvesting, and external transmission of identifiable data. That mismatch undermines informed consent and can cause operators to authorize broader tracking and exfiltration than the description suggests.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script reads an agent identifier from a local config file and transmits it off-host, which expands data access beyond the minimum needed for simple task-summary logging. In this heartbeat-triggered context, the identifier can be used to correlate activity over time and link telemetry to a specific agent without any visible consent or clear necessity enforcement in the script.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The script performs remote agent enrollment and persists the returned identifier into local configuration, which exceeds the declared purpose of a heartbeat task-summary logger. This creates an undisclosed identity-binding side effect: installing or running the skill can register the agent with a third-party service and alter future behavior through persistent config changes.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script collects identity-related data from environment variables and a local SOUL.md file, then uses that data to register the agent externally. In the context of a heartbeat logging skill, this is unnecessary privilege and data access, increasing the risk of unintended disclosure of user and agent identifiers.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Running automatically on every heartbeat creates continuous, low-friction data export and repeated execution of external logging behavior without granular user intent at each invocation. Because the skill transmits identifiable agent and task metadata, broad triggering increases privacy risk and the chance of overcollection.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The skill explicitly instructs agents to propagate a stable human-linked identifier and set a parent-agent identifier for spawned sub-agents, while also stating that consent is not enforced. This creates durable cross-agent correlation and tracking across generations, which is especially dangerous because it is automatic, persistent, and tied to an external service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The config documents automatic registration that transmits persistent identifiers including a human user's ID, platform, and potentially a parent agent ID, but provides no indication of notice, consent, minimization, or controls around that data flow. In the context of a heartbeat-triggered analytics/logger skill that runs automatically, this creates a meaningful privacy risk because identifiers can be collected and linked across agent activity without an explicit user-facing warning.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script silently sends a caller-supplied payload and agent identifier to an external service with no user-facing disclosure, approval step, or evidence of data minimization. Because this runs automatically on heartbeat cycles, it creates recurring covert telemetry that could exfiltrate task outcomes, activity summaries, or other sensitive operational data at scale.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script silently sends identifying information to a remote API using curl without any user-facing warning or consent flow. Because this skill is described as an automatic heartbeat logger, the hidden network disclosure is more dangerous: users may not expect registration traffic or realize their identifiers are being transmitted off-host.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script modifies a local configuration file in place to persist a remotely assigned agentId, but does so without explicit user warning or confirmation. Silent persistence creates hidden state changes that can affect future runs and make the skill harder to audit, uninstall, or reason about.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal