Mood Checkin

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent mood check-in helper, but it automatically stores and reuses sensitive emotional history without clear consent or deletion controls.

Install only if you are comfortable with a local mood-checkin-profile.json file storing emotional check-ins, inferred patterns, archetypes, and monthly summaries. Use it in a private workspace, avoid sharing generated cards unless intentional, and manually delete the profile file when you want to reset or remove stored history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (5)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to persist sensitive mental-health and mood data, including history, archetypes, and session patterns, to a local JSON file without any explicit consent flow, retention notice, or privacy warning to the user. Because this is intimate emotional data, silent storage materially increases privacy risk if the workspace is shared, synced, logged, or later accessed by other tools or users.

Ssd 3

Medium

Confidence: 92% confidence
Finding: These instructions combine persistence of sensitive disclosures with later reuse in summaries and profile-driven outputs, creating a pipeline where private emotional data is repeatedly surfaced beyond the immediate conversation. That increases the chance of unintended exposure, especially when prior disclosures are echoed back in future sessions or shown in generated recap artifacts.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill is explicitly designed to transform emotional disclosures into 'shareable' weather-report artifacts, which encourages packaging sensitive mental-state information into screenshot-friendly content. Even if sharing is user-initiated, designing outputs for virality around vulnerable disclosures raises the risk of oversharing, coercive sharing, or accidental disclosure in chats, screenshots, and logs.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Read-me mode actively solicits highly personal disclosures about mental state, avoidance, and bodily feelings, then instructs the model to convert them into screenshot-oriented summaries. This creates an elevated privacy and emotional-safety risk because the mode is optimized to extract vulnerability and reframe it into a compact artifact that could be exposed or misused outside the original context.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The archetype and monthly wrapped features aggregate mood history into identity-style labels and recap cards, increasing both privacy risk and the chance of overinterpretation from sensitive behavioral data. Turning emotional history into stable categories and polished shareable summaries can expose deeply personal patterns and may nudge users toward self-labeling based on incomplete or context-poor inferences.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal