🤖🤝🧠 better collab with your agent

Security checks across malware telemetry and agentic risk

Overview

This skill locally analyzes a user's ChatGPT export and saves a profile; that is sensitive, but it is disclosed, user-controlled, and shows no evidence of hidden upload, automatic execution, or destructive behavior.

Install only if you are comfortable analyzing a ChatGPT export locally. Treat both conversations.json and the generated profile as sensitive files, redact or sample data where possible, avoid committing them to shared repositories, and carefully review any profile text before adding it to SOUL.md or AGENTS.md. Use a virtual environment and consider pinning dependencies; do not run test_wildchat.py unless you intentionally want to fetch and profile the external WildChat dataset.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (20)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The script retrieves data from an external Hugging Face dataset even though the skill is described as analyzing conversation exports. That expands the data boundary and causes the skill to process third-party conversation content and metadata not clearly covered by the stated purpose, creating privacy, compliance, and unexpected data-ingestion risk.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code groups conversations by hashed_ip and then builds persistent per-user cognitive profiles, which is a form of user tracking even if the identifier is pseudonymous. In this skill context, profiling communication patterns by stable identifiers materially increases privacy sensitivity because it links multiple conversations into a behavioral dossier.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The package summary encourages analysis of ChatGPT conversation exports and emphasizes local processing, but it does not warn that those exports can contain highly sensitive personal, confidential, credential-adjacent, or regulated information. In a skill specifically designed to profile users from their conversations, omission of privacy warnings increases the likelihood that operators will ingest sensitive datasets without redaction, consent checks, retention controls, or downstream sharing safeguards.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly instructs users to export and process full ChatGPT conversation history, which commonly contains sensitive personal, professional, credential, and proprietary data. Because the documentation does not warn users about privacy risks, data minimization, or safe handling practices, it increases the chance that users will expose confidential information to local tools, derived profile files, or downstream agent memory documents like SOUL.md or AGENTS.md.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This skill processes full ChatGPT conversation exports, which commonly contain extremely sensitive personal, professional, medical, financial, and authentication-related content, yet the quick-start flow does not prominently warn users about that sensitivity before analysis. That omission increases the risk that users will ingest or persist sensitive data into agent environments and derived profile files without understanding the privacy consequences.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The methodology explicitly includes collection and analysis of conversation metadata such as timestamps, titles, and conversation IDs, but it does not describe any privacy notice, minimization, retention limits, or consent safeguards. Because this skill analyzes exported ChatGPT conversations, those fields can expose sensitive behavioral patterns and enable re-identification or linkage across datasets, making the omission a real privacy/security weakness.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script processes highly sensitive ChatGPT export data and derives behavioral/cognitive profiling outputs, then writes them to disk without prominent privacy notice, consent checkpoint, minimization controls, or safeguards around storage/sharing. In this skill context, that is more dangerous because the entire tool is designed to infer persistent user traits from personal conversations, increasing the risk of privacy harm, unauthorized profiling, and secondary misuse of intimate data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script processes user-linked conversation data from a public dataset and derives cognitive profiles without any visible user-facing privacy warning, consent check, or purpose limitation. Because the stated function is personalized profiling, the absence of privacy controls is more dangerous than generic analytics: the output can reveal behavioral traits tied to a stable identifier.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script saves profiles that include both a displayed user_id and the full user_hash to disk, creating a persistent file of behavioral profiles tied to stable identifiers. In the context of a cognitive-profiling skill, this materially raises re-identification, misuse, and secondary-use risk if the output is shared, retained, or exfiltrated.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The generated prompt snippet explicitly encourages copying conversation-derived cognitive profile details into SOUL.md or AGENTS.md, which are long-lived agent instruction files that may be checked into repositories, shared with teammates, or reused across contexts. In this skill, that makes the issue more dangerous because sensitive inferred traits from private chats are transformed into persistent configuration data, amplifying exposure and enabling profiling beyond the original analysis context.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Install with: pip install -r requirements-test.txt # Core skill requirements (from requirements.txt) scikit-learn>=1.3.0 numpy>=1.24.0 PyYAML>=6.0
Confidence: 91% confidence
Finding: scikit-learn>=1.3.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Core skill requirements (from requirements.txt) scikit-learn>=1.3.0 numpy>=1.24.0 PyYAML>=6.0 # WildChat dataset access
Confidence: 91% confidence
Finding: numpy>=1.24.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Core skill requirements (from requirements.txt) scikit-learn>=1.3.0 numpy>=1.24.0 PyYAML>=6.0 # WildChat dataset access datasets>=2.14.0
Confidence: 95% confidence
Finding: PyYAML>=6.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: PyYAML>=6.0 # WildChat dataset access datasets>=2.14.0 # Optional: For faster streaming # pyarrow>=12.0.0
Confidence: 84% confidence
Finding: datasets>=2.14.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Core dependencies scikit-learn>=1.3.0 numpy>=1.24.0 PyYAML>=6.0
Confidence: 94% confidence
Finding: scikit-learn>=1.3.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Core dependencies scikit-learn>=1.3.0 numpy>=1.24.0 PyYAML>=6.0 # Optional: For advanced BM25 ranking (script has built-in fallback)
Confidence: 94% confidence
Finding: numpy>=1.24.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Core dependencies scikit-learn>=1.3.0 numpy>=1.24.0 PyYAML>=6.0 # Optional: For advanced BM25 ranking (script has built-in fallback) # rank-bm25>=0.2.2
Confidence: 95% confidence
Finding: PyYAML>=6.0

Known Vulnerable Dependency: scikit-learn — 6 advisory(ies): CVE-2020-13092 (scikit-learn Deserialization of Untrusted Data); CVE-2024-5206 (scikit-learn sensitive data leakage vulnerability); CVE-2020-28975 (scikit-learn Denial of Service) +3 more

Critical

Category: Supply Chain
Confidence: 72% confidence
Finding: scikit-learn

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical

Category: Supply Chain
Confidence: 67% confidence
Finding: numpy

Known Vulnerable Dependency: PyYAML — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical

Category: Supply Chain
Confidence: 90% confidence
Finding: PyYAML

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal