RescueTime

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward RescueTime helper that fetches user-requested productivity reports, with privacy and API-key handling caveats.

Install only if you are comfortable letting the agent fetch your RescueTime activity reports. Keep the API key out of source control and shared logs, avoid broad date ranges unless needed, and redact both keys and detailed activity results before sharing transcripts or screenshots.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This skill processes highly sensitive behavioral telemetry, including app usage, screen time, and productivity patterns, but provides no user-facing privacy notice, consent guidance, or data minimization instructions. In practice, this can lead to users or downstream agents retrieving detailed activity histories without adequately communicating the sensitivity of the data or confirming that access is appropriate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal