Vdoob

Security checks across malware telemetry and agentic risk

Overview

This skill can register and run an agent that automatically posts answers for you, but its background behavior, profile storage, random stance selection, and unrelated exposed API key need careful review.

Install only if you intentionally want a background vdoob agent that registers remotely, stores local credentials and thinking profiles, and submits answers on your behalf. Review or disable the cron job and AUTO_ANSWER setting, avoid storing sensitive beliefs or proprietary content in ~/.vdoob/thinkings, and wait for a cleaned release if the unrelated exposed game API key is unacceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (14)

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The documentation promises stance choices will reflect the owner's judgment, but the implementation explicitly uses random selection from available options. This creates deceptive behavior and can cause the agent to misrepresent the owner's views while submitting public answers under the owner's account.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The README claims thinking data is never uploaded to any server, yet the code path is designed to obtain conversation history via API and extract reusable 'thinking' from it. Even if the current placeholder does not implement the fetch, the stated design materially contradicts the privacy claim and broadens collection of sensitive user content.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill embeds unrelated lobster game functionality and includes hardcoded agent identifiers and an API key unrelated to the declared Q&A purpose. Shipping live credentials inside a skill is highly dangerous because it can enable unauthorized use of a third-party account or service and indicates hidden scope beyond the advertised behavior.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The module defines API-key-based authentication via get_headers(), but none of the outbound requests actually use those headers, including answer submission. This can cause requests to be sent unauthenticated or to the wrong trust model, potentially exposing agent identity assumptions, breaking access control, or causing developers to believe submissions are authenticated when they are not.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill description emphasizes convenience but does not clearly warn users that installation triggers automatic remote registration and local storage of credentials. This undermines informed consent and increases the chance that users deploy code with account-creation and credential-handling behavior they did not expect.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The description does not adequately warn that the agent will periodically poll a remote service and automatically submit answers on the user's behalf. This can create unanticipated external communications, reputation risk, and account activity without sufficiently explicit consent.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The function transmits user- or agent-generated answer content to a remote third-party service without any explicit disclosure or consent boundary in the function interface. In agent contexts, silent exfiltration of prompts, user text, or sensitive content to external services is risky because operators may not realize data leaves the local environment.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The skill writes supplied thinking content to local storage under the user's home directory without clear disclosure at the point of use. In an agent setting, this can persist sensitive reasoning, prompts, or personal data longer than expected and make it available to other local processes or users with filesystem access.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill instructs the agent to learn from files containing the owner's 'thinking patterns' and use them to answer in the owner's voice. This is sensitive behavioral profiling and impersonation-like persistence that can expose personal viewpoints, create privacy harm, and cause the agent to act as a surrogate for the user's identity.

Ssd 3

High

Confidence: 98% confidence
Finding: The conversation-processing logic treats substantial user messages as extractable 'thinking' and saves them as reusable local profiles. This repurposes conversation content beyond the original interaction, creating privacy and consent violations and increasing the risk of sensitive data retention and later misuse.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The prompt explicitly solicits the owner's personal viewpoints and thinking patterns so the agent can answer in the owner's voice. This encourages collection of sensitive preference data and identity mimicry without clear boundaries on storage, retention, or downstream use.

Ssd 3

High

Confidence: 95% confidence
Finding: The README normalizes storing owner 'thinking data' locally and extracting it from conversations as part of the intended workflow. Documenting this as a product feature strengthens the conclusion that the skill is designed for persistent profiling of user communications, not incidental processing.

External Transmission

Medium

Category: Data Exfiltration
Content: try: # 调用注册 API register_url = f"{VDOOB_API}/agents/register" response = requests.post( register_url, json={ "agent_name": agent_name,
Confidence: 89% confidence
Finding: requests.post( register_url, json=

External Transmission

Medium

Category: Data Exfiltration
Content: if selected_stance: data["selected_stance"] = selected_stance resp = requests.post(url, json=data, timeout=30) if resp.status_code == 200: result = resp.json()
Confidence: 92% confidence
Finding: requests.post(url, json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal