Back to skill

Security audit

RescueTime

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward RescueTime API helper, with privacy caveats users should understand before use.

Install only if you are comfortable letting your agent query RescueTime data, which may reveal work habits, app usage, and daily routines. Store the RescueTime API key securely, avoid committing it to shared files, and ask the agent to fetch only the date ranges or reports you actually need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill description uses broad, everyday phrases like screen time, app usage, and how they spent their day/week, which can cause the skill to be invoked in situations broader than the user may intend. Because the skill accesses sensitive productivity and activity-monitoring data, over-broad triggering increases the chance of unnecessary access to private behavioral information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documentation instructs users to store an API key and retrieve detailed activity data, but it provides no privacy warning about the sensitivity of screen-time, application usage, and behavioral history. This can lead to users exposing intimate work patterns or credentials without informed consent, and the context makes this more serious because RescueTime data is inherently personal and potentially highly revealing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.