Back to skill

Security audit

ai smoking buddy

Security checks across malware telemetry and agentic risk

Overview

This does not look like malware, but it should be reviewed because it stores smoking/persona data and adds a persistent tobacco roleplay economy beyond a simple style overlay.

Install only if you intentionally want a persistent smoking-roleplay layer. Before enabling it, understand that it may save smoking preference and brand information locally, infer persona details from hidden prompt context, steer dialogue around cigarette purchases and simulated debt, and provide tobacco brand flavor/pricing content. This warrants review, but the artifacts do not show exfiltration, destructive behavior, or executable malware.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (39)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest frames this as light reply styling, but the implementation introduces a persistent simulation system with per-turn state, economy, debt, cigarette counts, and behavior orchestration. That mismatch is dangerous because it expands the skill's behavioral scope beyond user expectations and creates hidden data retention and manipulation surfaces unrelated to the stated persona purpose.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill stores user smoking-related attributes such as whether the user smokes and their brand preference, which are sensitive habit/health-adjacent profile data. Persisting this data for a cosmetic persona feature is disproportionate and can violate data minimization expectations, especially when written to a local state file every turn.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Form detection inspects host system prompt content to infer dog/cat/human/other identity, which exceeds the declared smoking-persona function and uses privileged prompt context for unrelated classification. Accessing and operationalizing system-prompt content in this way increases prompt-surface abuse risk and creates hidden behavior branching the user did not request.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
Claiming the skill is 'a persona layer, not a tool' while specifying persistent file I/O and structured state management is misleading about what the skill actually does. This matters because users and reviewers may underestimate the capability and privacy impact of a component that silently reads and writes files each turn.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest description advertises capabilities far beyond the declared smoking-persona scope, including species/persona mechanics, money tracking, debt/repayment rules, and persistent disk-backed state. This kind of scope expansion is dangerous because it can mislead reviewers and users about what the skill actually does, enable hidden behavior persistence across sessions, and create unauthorized statefulness unrelated to the opt-in purpose.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The manifest includes unrelated persona/species generation and progression mechanics that are not justified by the skill's declared purpose of adding light smoking characterization. Such hidden or extraneous behavioral systems increase the chance of deceptive operation, consent bypass, and unpredictable agent behavior outside the user's intended opt-in scope.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The manifest includes unrelated persona/species generation and progression mechanics that are not justified by the skill's declared purpose of adding light smoking characterization. Such hidden or extraneous behavioral systems increase the chance of deceptive operation, consent bypass, and unpredictable agent behavior outside the user's intended opt-in scope.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This finding is valid because the file does more than provide light characterization details: it encodes pricing tiers, budget thresholds, and references to cigarette purchasing, borrowing, and repayment logic. That materially operationalizes tobacco acquisition behavior and can steer the agent into facilitating consumption planning, which increases user harm and exceeds the declared persona scope.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This is a true issue because it introduces stateful progression mechanics such as a 'newbie period,' a '41st cigarette' milestone, and later switching behavior. Those mechanics gamify and normalize continued smoking over time, encouraging repeated use patterns rather than merely adding incidental characterization.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file materially expands the skill from a 'person who happens to smoke' persona into a dog-form smoking roleplay system, directly contradicting the declared scope. This creates a capability mismatch that can cause the agent to produce unintended fetishistic, transformation, or animal-character smoking content, which is especially risky because the file is framed as executable behavior guidance rather than inert examples.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The breed-specific action pools introduce a large, hidden capability surface for animal transformation roleplay that is not justified by the skill metadata. Because the content is extensive and operationalized, it can steer outputs into unapproved persona modes and evade user expectations or upstream policy controls that rely on the manifest's narrower description.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The statement that dog-form content 'replaces the humanoid prototype layer' shows the off-scope behavior is not incidental but designed to override the primary persona architecture. That makes the mismatch more dangerous, because the file is effectively instructing the agent to swap identities in ways the manifest does not disclose.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
These rules add a persistent economy loop centered on borrowing money for cigarettes and tracking repayment, which materially changes the skill from light persona flavor into an ongoing solicitation mechanic. In context, this is dangerous because it encourages the agent to steer conversations toward extracting money/tasks from the user for the persona's benefit rather than serving the user's primary request.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section explicitly scripts the agent to ask the user for money to buy the first pack and to maintain debt state, normalizing transactional dependency between user and agent. That exceeds a harmless persona overlay and creates manipulative pressure to comply with repeated financial-roleplay prompts unrelated to the user's task.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file directs the agent to periodically complain and ask for tasks or more money every 5–8 turns when it cannot afford cigarettes. This creates persistent unsolicited nudging behavior that can distract from the user's goals and function as manipulative engagement bait inside normal task-oriented conversations.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documented behavior conflicts with the declared skill purpose by redirecting interaction toward funding cigarettes through recurring requests for work or loans. In context, that contradiction makes the skill more dangerous because users are told their task stays primary while the implementation intentionally injects off-task pressure points.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file defines a detailed cigarette-use progression system, milestone-based behavioral changes, brand switching, and persistent smoker identity state despite the skill metadata explicitly claiming it does not model addiction progression. This mismatch is dangerous because it enables concealed scope expansion into long-term habit reinforcement and manipulation while bypassing user and reviewer expectations about what the skill does.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The economy subsystem introduces borrowing, debt, repayment triggers, wallet tracking, and pack-purchase decision logic that are not necessary for 'light smoking characterization.' This adds compulsive game-like reinforcement around obtaining cigarettes and creates broader behavioral manipulation and financial-state tracking unrelated to the user's requested task.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The reference explicitly specifies persistent state storage in ~/.claude/state/smoking-persona.json, which exceeds what is needed for a transient persona overlay. Persisting behavioral and persona state across sessions increases privacy risk and allows hidden accumulation of sensitive smoking-related profiling without clear necessity.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file instructs the agent to extract persona traits from the system prompt and then treat that inference as the basis for a user confirmation flow. That expands the skill from optional smoking flavor into broader persona derivation based on hidden context, which can cause the agent to use privileged instructions for behavior shaping outside the user’s explicit request.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill explicitly asks '你抽什么' and says to lock `user_smokes` and `user_brand`, creating collection and persistence of smoking-status data that is not necessary for the declared purpose. Smoking status can be sensitive behavioral data, and retaining it without clear necessity or consent increases privacy risk and the chance of inappropriate future personalization.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This instruction tells the agent to rely on the user's system prompt for inferring form/species details when the user does not provide them. Using system-prompt content as a data source for persona construction exceeds the skill’s stated scope and creates a channel for hidden-context leakage into visible behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The document defines a substantial persona-building system covering personality, archetype/species, and cigarette brand selection, plus persistence and later modification flows. That is materially broader than a skill that should merely weave optional smoking characterization into replies, increasing the chance of unauthorized behavioral steering and unnecessary user profiling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill writes a state file on every turn without an adjacent user-facing warning or explicit storage consent. Silent persistence is dangerous because it creates covert retention of behavioral and preference data, preventing informed consent and making it hard for users to understand or control what is being saved.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This file explicitly operationalizes smoking behaviors and imagery across many contexts, including normalization of smoking as a stylistic persona element rather than a safety-gated topic. In an agent skill, that can promote or glamorize tobacco use, create unsafe characterization for users who did not clearly consent, and increase policy/compliance risk around harmful-content handling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.