Back to skill

Security audit

Value Tracker

Security checks across malware telemetry and agentic risk

Overview

Value Tracker is a local ROI/time-tracking utility with expected local storage and export behavior, but users should avoid putting sensitive details in logged tasks.

Before first use, review or clear the bundled data.json if you want reports to reflect only your own work. Do not log secrets or highly sensitive business details, and review markdown reports or JSON exports before sharing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Low
Confidence
84% confidence
Finding
The file explains that tasks are stored in `data.json` and suggests backups, but it does not explicitly warn users that logged task descriptions may include sensitive operational, financial, sales, or strategic details. Because the skill encourages logging real work items and exporting JSON for dashboards, users should be clearly alerted to the privacy and data-handling implications.

Missing User Warnings

Low
Confidence
87% confidence
Finding
This code provides an export command that can emit individual entries, including task descriptions and optional notes, to stdout as JSON. While export is part of the tool's purpose, there is no user-facing warning in the CLI help or runtime output that enabling --include-entries may expose potentially sensitive work details if redirected, shared, or logged elsewhere.

Session Persistence

Medium
Category
Rogue Agent
Content
return {"entries": []}

def save_data(data):
    """Save data to file."""
    with open(DATA_FILE, 'w') as f:
        json.dump(data, f, indent=2)
Confidence
60% confidence
Finding
Save data to file

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.