Context-Aware Delegation (SmartBeat)

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about context delegation, but its examples encourage background agents to read private chat history and other personal data and send summaries without enough guardrails.

Install only if you intentionally want background or isolated agents to read main chat history. Before using the examples, reduce history limits, pass task-specific summaries instead of raw conversation history, restrict email/calendar/message permissions, verify recipients, avoid automatic external delivery of sensitive summaries, and keep a record of any cron jobs or spawned sessions you enable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The cron payload instructs an isolated scheduled agent to access email, calendar, weather, private session history, and then send results outward via Telegram or email. That is a meaningful capability expansion beyond simple context-sharing and creates an automated cross-service data aggregation and exfiltration path, especially risky because it runs on a schedule without an interactive approval step.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The example is framed as a context-aware delegation skill, but the actual workflow is a broad personal assistant automation that reads multiple sensitive sources and produces an outbound report. This mismatch can mislead users about the real security posture and required permissions, increasing the chance that high-risk behavior is enabled under the guise of a simpler context-sharing capability.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly promotes using isolated or background sessions to query the main session's full conversation history, but it provides no warning about sensitive data exposure, consent, access control, or data minimization. In this skill's context, that omission is meaningful because the feature intentionally bridges isolation boundaries, which can cause background jobs or sub-agents to access secrets, personal data, or unrelated context that they would not otherwise need.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly encourages isolated sessions to pull main-session history to gain 'full awareness' without any consent, minimization, or privacy warning. That creates a real cross-context data exposure risk because users may not expect background jobs or sub-agents to access and reuse prior private conversations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The morning-report example combines session history, memory, email, calendar, and outbound delivery to Telegram/email, but does not warn about personal-data handling or external disclosure. This is dangerous because it normalizes aggregation and transmission of sensitive information across tools and channels without any guardrails.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The example explicitly instructs a sub-agent to read the main session history and then generate files based on that context, but it provides no consent boundary, data-minimization guidance, or warning that sensitive conversation content may be exposed to another execution context. This creates a real privacy and integrity risk: a cheaper/background agent can inherit sensitive user data and modify local files without clear authorization or scoping constraints.

Ssd 3

High

Confidence: 98% confidence
Finding: The core pattern instructs isolated sessions to read full main-session history and use that context for autonomous work. This is a true security issue because it enables broad data propagation from a primary conversation into secondary agents or automations that may have different trust boundaries, retention, or delivery behavior.

Ssd 3

High

Confidence: 98% confidence
Finding: This workflow specifically tells the agent to query main-session history, summarize recent conversation, and send the result via Telegram and email. That creates an immediate exfiltration path from private conversation state to external communications channels, increasing the chance of accidental disclosure of secrets, personal data, or sensitive business context.

Ssd 3

High

Confidence: 97% confidence
Finding: The event-handler example instructs an isolated session to inspect prior private discussion about a client before acting on a webhook. This is risky because incoming events can trigger access to unrelated confidential context, potentially causing unauthorized use or disclosure of client-sensitive information in an automated flow.

Ssd 3

High

Confidence: 99% confidence
Finding: The morning report recipe aggregates multiple sensitive sources—session history, memory, email, and calendar—and sends the result to Telegram. This materially raises the risk of sensitive-data exfiltration because a single automated task can collect and transmit a broad snapshot of private activity without any stated review, filtering, or consent controls.

Ssd 3

High

Confidence: 97% confidence
Finding: The instructions explicitly combine private session history, memory notes, email, and calendar information into a single outbound report sent over Telegram or email. This creates a clear data-minimization and confidentiality risk: sensitive content from several domains is consolidated and transmitted automatically, increasing the blast radius of any mistake, misrouting, compromised destination, or overbroad tool permission.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal