Back to skill

Security audit

LifeOS

Security checks across malware telemetry and agentic risk

Overview

This skill is for managing LifeOS/Obsidian notes, but it directs agents to run a live npm CLI that can edit the real vault and overwrite installed agent skill files, so it needs user review before installation.

Install only if you intentionally want an agent to read and modify your LifeOS/Obsidian vault. Prefer giving an explicit `vault=` path, review proposed file changes before writes or AI Wiki updates, keep backups/version control for the vault, and avoid running `skill install` unless you trust the exact npm package version being executed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documented default invocation executes `npx -y @life-os/cli`, which can fetch and run a package from the registry at runtime. That expands the skill from local vault management into network-dependent code execution and creates supply-chain risk if the package, dependency chain, or resolved version is malicious or compromised.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The vault resolution logic reads Aino application state (`bootstrap.json`) to locate the last opened folder, which accesses host application metadata outside the user's explicit vault path. While not code execution, it broadens filesystem and privacy access beyond the stated note/task operations and may cause the tool to act on an unintended vault.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The `skill install` command can write or overwrite agent skill files under `.agents/skills/lifeos/`, giving the CLI self-install/update capability unrelated to ordinary vault reading and task management. In combination with the `npx` execution model, this increases persistence risk by allowing remotely sourced package code to modify the agent's future behavior.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly states the skill operates on the user's real LifeOS vault and can append to or update notes, tasks, and AI Wiki pages, but it does not warn about irreversible data modification, review-before-write expectations, or the need for backups. In an agentic context, this increases the chance of unintended edits to personal knowledge data, especially when broad requests like updating topic pages or task lists are interpreted automatically.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description is very broad and matches common, everyday requests like asking about tasks, notes, journaling, reviews, or capturing thoughts. In an agent-routing context, this can cause the skill to be invoked too eagerly, giving it access to read or modify a user's vault when the user may have intended only a general conversation or a narrower capability.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The phrase "or anything similar" creates an open-ended activation condition that can cause the skill to trigger on ambiguous requests and perform AI Wiki maintenance workflows the user did not clearly ask for. In a skill that can read and modify vault files, overly broad routing increases the chance of unintended data access and unintended writes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly directs the agent to create/overwrite a `.AI.md` file and append to index and changelog files, but it does not require a user-facing notice or confirmation that persistent vault contents will be modified. Because these are durable file operations, an ambiguous or misrouted request could lead to silent changes, data loss in the overwritten page, or unexpected vault churn.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation states that `skill install` overwrites `SKILL.md` and `references/` as part of update behavior, but it does not present a strong safety warning or require explicit acknowledgement before replacing existing files. This can silently destroy local customizations or replace trusted skill content with newly fetched content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.