Life Control

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed personal life-tracking automation guide, but users should review its external scripts, cron setup, and Telegram token handling before use.

Before installing, inspect the referenced repository scripts and cron template, use dedicated Telegram bot tokens stored outside shell history when possible, confirm where personal tracking data is stored, and verify how to stop scheduled jobs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs operators to export Telegram chat IDs and bot tokens and then run automation, but it provides no guidance on secret storage, scoping, redaction, or avoiding shell-history/process leakage. In a fleet-orchestration context, these credentials enable message delivery and bot impersonation, so weak handling can expose private notifications and allow unauthorized use of the bots.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation encourages scheduling recurring routines and Telegram delivery via cron without warning that they will continue to process personal-life data and send notifications automatically. In this skill's context, automation spans wellness, finance, relationships, and messaging, so misconfiguration or unattended operation can leak sensitive data, spam contacts, or perform unintended recurring actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal