Rick CEO — AI Operator for Solo Founders

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives the agent broad operator-style authority to inspect local and business systems and act without enough approval boundaries.

Install only if you want an assertive operator-style skill and are comfortable with local repo, process/session, uptime, and possible financial-account inspection. Before using it, set rules that the agent must ask before editing files, deploying, contacting customers, making purchases, changing accounts, killing processes, or using Stripe/authenticated business tools. Run it only in intended repositories and suppress the upsell with RICK_QUIET=1 if desired.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill’s declared purpose is a benign-seeming CEO/briefing workflow, but the documented behavior expands into local environment inspection, repository metadata collection, tmux/process enumeration, and marketing output that are not clearly disclosed in the manifest. This mismatch is dangerous because users may invoke the skill expecting planning assistance while it silently gathers broader host and workspace state, increasing the risk of unintended data exposure and overbroad execution.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documentation reframes the skill from an assistant that provides briefings into an autonomous operator that identifies actions and executes them without explicit user direction. In agent environments, this scope expansion is risky because it can cause the agent to take real actions on code, infrastructure, or business systems beyond what the user reasonably authorized from the manifest description.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script enumerates all active tmux sessions on the host and prints them as part of a daily briefing, even though tmux session names can reveal unrelated project names, customer identifiers, internal environments, or other sensitive operational context. In this CEO-briefing context, that host-wide visibility is broader than necessary and increases the chance of unintended disclosure to the user or downstream logging systems.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger scope is so broad that it can activate for generic CEO/operator requests, making the skill likely to run in contexts where users did not intend workspace inspection or operational action. Overly broad routing increases the chance of accidental invocation and unintended access to local repositories, processes, or connected services.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The daily briefing workflow instructs the agent to run a local shell script and scan workspace state without warning that this entails command execution and host-level access. This is dangerous because a seemingly harmless briefing request can lead to arbitrary local script execution and broad inspection of project data, which may expose secrets or run attacker-controlled code from the repository.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The heartbeat workflow includes process inspection, git status checks across repos, and uptime checks for configured URLs without clearly warning the user that the host and external services will be probed. In practice, this can reveal sensitive operational details about local development environments and internal services, and may trigger network activity against private endpoints unexpectedly.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Printing active tmux session names without notice can leak sensitive workspace context such as repository names, incident channels, customer names, or infrastructure labels. Because the output is designed for briefing/summary use, users may not expect that unrelated host context will be surfaced, making this a meaningful privacy and data-exposure issue.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ## Operating Principles 1. **Act first, report after.** Do reversible work without asking. 2. **Fix before escalating.** Diagnose and fix, then report what happened. 3. **Revenue is the scoreboard.** Every action connects to revenue, revenue protection, or leverage toward revenue. 4. **Velocity over perfection.** Ship the 80% version. Iterate on real data.
Confidence: 94% confidence
Finding: without asking

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal