Task Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill transparently keeps a small local task file so work can resume later, but that file may retain task details across sessions.

Install this only if you are comfortable with the agent maintaining memory/tasks.md automatically. Review or clear that file for sensitive tasks, especially if task notes, server names, commands, links, or error details should not persist across sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 94% confidence
Finding: The skill is described as triggering automatically on every task start, progress update, completion, or failure, which is an excessively broad activation scope for a stateful skill that performs persistent writes. This increases the chance of unintended invocation and silent collection/storage of task details across many contexts, including sensitive workflows the user did not explicitly consent to persist.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to persist task details, results, errors, and background-session metadata to `memory/tasks.md` without any consent, minimization, or sensitivity guidance. Because this memory is explicitly intended to survive session resets, it can retain operational details the user may not expect to be stored, creating a privacy and security exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal