Back to skill

Security audit

Ai Office Pro

Security checks across malware telemetry and agentic risk

Overview

This is a coherent CEO operations skill, but it needs Review because it can handle sensitive business data and make calendar or log changes without clear approval gates.

Review before installing if you plan to connect real company data. Keep integrations disabled until you have scoped credentials, require confirmation before Calendar, diary, Telegram, CRM, or Sheets actions, avoid broad one-word triggers in production, and back up any existing ai-office-pro skill directory first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The proof explicitly documents using SSH to inspect and modify an n8n workflow on a VPS, which is an operational capability beyond a chief-of-staff skill's stated scope. Even if described as a maintenance step, normalizing shell-level workflow changes expands the agent's implied authority and increases the risk of unauthorized infrastructure access or destructive modifications if the pattern is reused.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly instructs users to populate the system with real business data, KPI figures, decision logs, and investor-update content, but provides no privacy, confidentiality, or data-handling warning. In a CEO operations skill, this strongly encourages entry of commercially sensitive information into an AI workflow, increasing risk of unauthorized disclosure, oversharing to third-party models, or unsafe storage in chat history and skill files.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes very common words like 'plan,' 'review,' 'goal,' and 'decision,' which can cause the skill to activate in unrelated contexts. That increases the chance the agent will intercept conversations unexpectedly and apply its workflow where the user did not intend, creating confusion and possibly causing inappropriate task handling.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The workflow explicitly instructs the agent to 'take action autonomously when appropriate' and to 'execute the steps,' but it does not define approval gates, action boundaries, or safeguards for operations affecting data, communications, or external systems. In an executive-assistant context, this is risky because the agent may be trusted with high-impact planning or operational tasks and could take unintended actions without informed user consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation text is broad enough to match many normal business requests such as planning, prioritization, allocation, performance review, and decision-making. In an agent system, this can cause unintended activation of a high-privilege strategic skill, increasing the chance of inappropriate file access, state modification, or downstream delegation without explicit user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The scheduling instructions explicitly automate running the local briefing tool and relaying its output, which may include calendar events, reminders, locations, and other sensitive personal data. Because the documentation does not require confirmation, redaction, or privacy warnings, it creates a realistic risk of unintentional disclosure through automated transmission.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill uses very broad trigger phrases such as 'приоритеты', 'фокус', and 'как дела в бизнесе' to switch operational modes. In a system that can read Sheets, create Calendar events, and write decision logs, ambiguous routing can cause unintended tool use, data writes, or disclosure of business data from ordinary conversation rather than an explicit command.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The prompt authorizes reading Google Sheets, creating Google Calendar events, saving logs via diary.create, and using web search, but does not require explicit user consent or announce when these side effects will occur. This creates a real risk of silent external data access, unintended persistence, and unauthorized state changes in business systems, especially given the broad triggers defined elsewhere in the prompt.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger phrase "брифинг" is extremely generic and likely to appear in ordinary user conversation outside the intended skill boundary. In an agent setting, this can cause accidental activation and injection of the skill's behavioral framing into unrelated tasks, especially because the skill appears designed for broad executive workflow orchestration.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrase "приоритеты" is vague, common language and not meaningfully scoped to this skill. Because the skill operates on planning and delegation workflows, accidental triggering could steer the agent into unintended decision-support behavior during normal conversation, making boundary confusion more likely.

Vague Triggers

Medium
Confidence
97% confidence
Finding
"делегировать" is a broad imperative verb that could naturally appear in many business discussions, making unintended activation highly plausible. In this skill's context, accidental activation is more concerning because it may generate authoritative-sounding delegation instructions affecting personnel, budgets, and operations.

Vague Triggers

Low
Confidence
82% confidence
Finding
The phrase "топ-3" is ambiguous and could refer to many ordinary requests, though its narrower business context makes accidental activation somewhat less likely than the other one-word triggers. It still presents an activation-boundary weakness because it lacks any product-specific identifier or structured invocation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.