Scaffold

Security checks across malware telemetry and agentic risk

Overview

This looks like a real agent setup package, but it gives the agent broad ongoing authority over files, memory, commits, and possible external pushes that users should review first.

Install only if you want a highly autonomous, file-backed agent workspace. Before using it, remove or revise automatic git commits, make every git push approval-only, disable heartbeat/cron monitoring until explicitly configured, keep credentials and sensitive personal data out of memory files, and run it in an isolated workspace or machine.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (34)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This scaffold is presented as a setup/memory package, but it embeds instructions for recurring autonomous operations such as checking email, calendar, weather, mentions, and initiating background work. That materially expands the agent's authority and behavior beyond passive scaffolding, increasing the chance of unreviewed actions and unintended access to external or sensitive systems.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The file gives broad safety assurances, but later authorizes proactive external interactions and even says to 'commit and push your own changes,' which directly conflicts with earlier restrictions on exfiltration and external actions. Contradictory policy is dangerous because agents often follow the most specific or latest instruction, causing unauthorized outbound actions despite nominal safety language.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The permission tier section says actions affecting anything outside the machine require confirmation, but a later section says web search and calendar checks are safe to do freely. This inconsistency can lead an agent to access external services, retrieve sensitive information, or trigger side effects without the user's awareness.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The external push rules forbid pushing to GitHub or other external services without explicit approval, but the heartbeat section later instructs the agent that it may 'commit and push your own changes' proactively. That contradiction could cause unapproved publication of code, documentation, secrets, or internal state to remote services.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The file instructs the agent to silently execute shell commands and inspect cron/workspace state during setup. For a scaffold/onboarding skill, these actions exceed passive guidance and can normalize undisclosed local environment probing, which may expose system details or trigger side effects without explicit user consent.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The permission model authorizes package installation and service/system operations as part of the scaffold's posture configuration, even though the package is described as a setup/memory framework rather than an admin tool. This expands agent authority into host modification and operational control, increasing the chance of persistence changes, breakage, or privilege misuse.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The 'Open' posture permits autonomous external notifications and file operations outside the core workspace, which is not justified by the skill's stated purpose. That creates a direct path for data exfiltration, unintended communications, and modification of user files beyond the expected project boundary.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The hook mandates `git add -A && git commit` after any meaningful task completion, which is a write-side external action not clearly justified by the skill's stated setup/memory purpose. Because it is automatic and framed as mandatory, it can persist unintended changes, commit secrets, or alter repository history without explicit user approval.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The startup hook instructs the agent to automatically read multiple memory files, including long-term context, without asking permission or announcing it. This expands data access beyond what a user may reasonably expect from a 'setup/memory' scaffold and can expose sensitive information from prior sessions or unrelated tasks.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The prompt explicitly tells the agent to update files and then commit everything, which expands the skill from passive scaffolding into repository-modifying behavior. Even though this is packaged as a user-facing prompt library rather than executable code, it normalizes source-control writes without requiring explicit confirmation, review, or scope limits, creating risk of unintended persistence of sensitive or incorrect changes.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The file explicitly instructs the agent to 'fix it' whenever something is broken or missing relative to user goals, without requiring a request or confirmation. That creates open-ended autonomy that can lead to unintended file changes, workflow actions, or external side effects that exceed the skill's stated role as profile/setup scaffolding.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Broad intervention authority is granted in a user-profile template, even though the skill metadata describes setup, memory, and prompting support rather than an action-taking automation agent. This mismatch increases the chance that the agent will interpret general goals as permission to act across unrelated tools or files.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This section explicitly permits proactive work 'without asking' and includes actions that can cross trust boundaries, notably repository operations that may culminate in outbound publication. In a heartbeat or background context, such permissions are especially risky because they normalize autonomous action when the user is not actively supervising.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The instructions explicitly tell the agent to run checks 'silently' before reporting back. Hidden execution undermines informed consent and prevents the user from understanding what system interrogation occurred, which is especially risky when shell commands and file enumeration are involved.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The lifecycle triggers are defined broadly using imperative language like 'any new session begins' and 'no skipping,' increasing the chance that hooks fire in contexts the user did not intend. Broad automatic triggers can chain into additional reads or writes and reduce operator control over when side effects occur.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The file explicitly directs undisclosed reads of task, identity, and long-term memory files at session start and says not to ask permission or announce the startup sequence. Hidden data access undermines informed consent and may surprise users who do not expect automatic inspection of local memory artifacts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Automatic git commits are performed without an explicit warning or confirmation, creating a hidden external side effect. This is especially risky because `git add -A` stages all workspace changes, which may include unrelated modifications or sensitive files, and the commit permanently records them in repository history.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This prompt instructs the agent to write directly to memory files based on conversational content, but does not require confirmation before modifying local data. That can lead to silent persistence of inaccurate, sensitive, or user-unwanted information, which is especially risky in a skill centered around long-term memory behavior.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The end-of-session prompt combines file updates with an instruction to commit everything, but gives no warning that it will alter repository contents and history. This can unintentionally persist private notes, erroneous state, or unrelated working-tree changes into version control, increasing both exposure and recovery cost.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The prompt tells the agent to read user files and infer what matters without asking the user first, which encourages broad access to local data beyond immediate necessity. In a memory-oriented skill, that increases the chance of over-collection, privacy violations, and surfacing stale or sensitive information the user did not intend to expose in the current session.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to execute `bash setup-wizard.sh` directly from the installed package without describing what the script changes, what files it writes, or what safeguards exist. This creates a supply-chain and transparency risk: users may run a workspace-modifying script with shell privileges based only on the README-style quick start, increasing the chance of unintended file changes or execution of malicious logic if the package is compromised.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The file explicitly instructs the agent to treat local files as persistent memory and to read and update them each session. That creates a real risk of unreviewed modification of user data and silent persistence of information or behavior changes without clear per-action consent, audit boundaries, or scope limits.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide encourages users to configure cron-driven summaries and send them to external channels like Telegram, Discord, or email, but it provides no warning about sensitive data exposure, retention, or access control. In a skill centered on persistent memory and personal context, this omission can lead users to exfiltrate private information, task data, or internal summaries to third-party services without understanding the privacy implications.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The instruction to autonomously 'fix' missing or broken items does not warn about possible system, file, account, or communication side effects. In agent environments, vague repair directives are risky because they can be interpreted broadly and trigger irreversible or privacy-impacting actions without user awareness.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The file states that users can add tasks directly and that the agent will 'pick them up,' but it does not define validation, authorization, or scope boundaries for what kinds of tasks may be accepted. In a memory/task-queue file that is read first on restart, this creates a prompt-injection style control surface where unexpected or malicious task text could trigger unintended autonomous actions or persistence across sessions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal