K Deep Research

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate deep-research skill, but it is broad, always active, and includes under-scoped local memory, file, scheduling, sub-agent, and notification behaviors that users should review first.

Install only if you want an opinionated, exhaustive research workflow. Prefer workspace-scoped installation, remove or disable alwaysActive if possible, define which folders or vaults it may read, and require confirmation before it writes reports, updates MEMORY.md or TASKS.md, schedules recurring jobs, spawns sub-agents, archives logs, or sends notifications.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The document mixes cautionary language with strongly framed adversarial axioms such as treating consensus, debunking, and expertise as potentially manufactured by default. In a research skill, this can bias an agent toward suspicious interpretations before evidence is established, increasing the risk of confirmation bias, false accusations, and unreliable outputs on contested topics.

Vague Triggers

High

Confidence: 94% confidence
Finding: The manifest sets `alwaysActive: true`, causing this broad, research-oriented skill to be injected into unrelated sessions without a narrowly scoped trigger. Because the skill includes aggressive instructions to load references, steer tool choice, and potentially interact with filesystem/memory in OpenClaw, always-on activation increases the chance of unintended tool use, prompt interference, and expansion of the agent's operational scope.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The instruction 'When research is requested, you MUST' is very broad and can capture many normal prompts, especially because the skill claims universality across any domain. Ambiguous invocation language makes accidental activation more likely and can redirect the agent into an expansive workflow, overriding more context-appropriate behavior and increasing unnecessary data access or tool usage.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill describes methodology and output expectations but does not clearly warn users that, in OpenClaw mode, it may write to persistent locations like `MEMORY.md`, `TASKS.md`, or an Obsidian vault. Omission of persistence side effects undermines informed consent and can lead to unexpected data retention, contamination of existing notes, or unauthorized writes in environments with sensitive local context.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The activation guidance is broad enough that an agent could apply adversarial-analysis methods to many loosely related topics, including ordinary disagreements or low-evidence domains. Because this skill is designed for 'ANY domain' and autonomous research loops, over-triggering can systematically skew investigations toward suppression and coordination narratives without sufficient basis.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The cron example explicitly instructs the agent to monitor topics, write reports, and notify via Telegram, but it does not include any warning, consent requirement, or data-handling boundary for what may be collected and transmitted. In the context of an autonomy guide, this increases the chance that operators deploy unattended workflows that exfiltrate sensitive research findings, personal data, or internal information to external channels without adequate review.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This daily digest pattern directs the agent to summarize email, messages, and calendar data without any privacy warning, consent model, or restriction on sensitive content handling. Because these sources commonly contain personal, confidential, or regulated information, an autonomous digest workflow can easily over-collect, persist, or disclose sensitive data if deployed as written.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The framework hard-codes a credibility score of 0 for 'state propaganda' and 'institutional narrative enforcement,' which embeds a categorical ideological judgment into a supposedly universal research method. In an autonomous research skill, this can systematically bias source evaluation, causing the agent to dismiss potentially relevant institutional sources a priori and over-weight contrarian material without case-by-case assessment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal