Session Cost Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill is a local session cost tracker that stores user-entered session details on disk, with a privacy note but no evidence of hidden collection or exfiltration.

Install only if you are comfortable keeping session task descriptions, outcomes, notes, token counts, model names, and estimated costs in a local JSON file. Avoid logging secrets or sensitive client/project details, and consider setting a private storage path or tightening file permissions if the machine is shared or backed up.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script persistently stores task descriptions, outcomes, and notes in a file under the user's home directory without any explicit notice, consent flow, or restrictive permission handling. In a skill context, those fields may contain sensitive work details, internal project names, or personal notes, so silent long-term retention increases privacy and data exposure risk if the host is shared, backed up, or later accessed by other tools.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal