Back to skill

Security audit

Somnia

Security checks across malware telemetry and agentic risk

Overview

Somnia is mostly a coherent nightly skill-review tool, but it deserves Review because its scheduler can create persistent background runs and can remove a user-specified plist path when applied.

Install only if you are comfortable with a local nightly scheduler. Review the generated plist before using --apply, avoid custom --plist values unless you intend to manage that exact file, and enable Telegram reporting only for chats where skill names and health summaries are acceptable to share. VirusTotal was pending, so this verdict is based on artifact behavior and scanner evidence rather than VT telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises operational behavior that implies access to environment data, filesystem reads/writes, networking, and shell-backed scripts, but it declares no permissions or trust boundaries. This creates a dangerous mismatch: operators may invoke the skill believing it is low-risk, while the referenced scripts could perform broader actions than expected, including accessing sensitive local data or external systems during nightly runs.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script can transmit nightly review summaries to Telegram, which extends a local maintenance/review tool into an external messaging channel. In this skill context, reports may contain skill names, paths, validation status, and operational metadata, so enabling Telegram increases data exposure risk beyond the stated local-review purpose.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script can install and remove a persistent LaunchAgent under the user's home directory, creating scheduled execution beyond one-off review/report generation. That persistence is a meaningful host-level capability and expands the skill's effect surface relative to a maintenance-review description, especially because `--apply` turns planning into an actual system change.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Using `launchctl` gives the skill the ability to register and control macOS background jobs, which is a host-management capability not necessary for simply generating review reports. In skill context, this increases danger because a maintenance-oriented tool can silently become a persistence mechanism if invoked with `--apply`.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill description emphasizes safe proposal-only maintenance, but it also writes JSON, Markdown, and proposal artifacts to disk without clearly warning users up front. That omission can lead to unanticipated persistence of potentially sensitive review outputs, especially because the skill processes feedback, health summaries, and replay-related metadata.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends the generated review markdown to Telegram without any runtime warning about what data leaves the host. In a maintenance-review skill that is expected to operate locally, this lack of disclosure can cause operators to unknowingly exfiltrate internal operational details to a third-party service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.