Back to skill

Security audit

Super Proactive Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives an agent broad proactive access to personal context, local files, apps, email/calendar checks, scheduled work, and self-modification without enough clear user control.

Install only if you explicitly want an agent that keeps durable personal/work context and acts proactively. Before use, narrow the rules: require opt-in for email, calendar, browser, app cleanup, screenshots, cron jobs, sub-agents, and self-modifying AGENTS.md or TOOLS.md; add a clear privacy notice and review/delete process for memory files; and remove or gate BOOTSTRAP.md auto-follow behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (45)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill authorizes broad autonomous research, experimentation, and even spawning sub-agents as part of 'self-healing' without tightly constraining scope to the user's current task. In a tool-enabled agent, this can expand access to external content and side effects far beyond the stated purpose of proactive collaboration, increasing attack surface and enabling unintended actions driven by prompt injection or poor judgment.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The heartbeat checklist instructs the agent to close apps, clean browser tabs, and move screenshots to trash, which are endpoint-management actions unrelated to the skill's core purpose. These actions can disrupt user activity, destroy potentially important artifacts, and normalize autonomous file/system modification without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to go beyond memory/proactivity behavior and use broad external execution/orchestration capabilities such as CLI, browser, web search, and spawning agents. In a reusable skill, this materially expands operational authority and can cause the agent to take unintended actions or chain into riskier tools without task-specific consent.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The skill tells the agent to schedule a weekly cron reminder, introducing autonomous recurring behavior that may not be expected from a memory/proactivity skill. Even if low severity, unattended scheduling can create persistence, surprise side effects, and policy drift if the environment permits automation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill authorizes broad external-capability use such as web search, calendar checks, email monitoring, and general workspace exploration, which exceeds a narrowly scoped memory/state-management role. Even though some guardrails are present, this expands the agent's authority and increases the chance of unnecessary data access, privacy violations, or unintended actions driven by proactive behavior.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The instruction 'Don't ask permission. Just do it.' conflicts with later requirements to confirm before deletions and before actions that leave the machine. Conflicting authority rules create unsafe ambiguity: an autonomous agent may prioritize the more aggressive instruction and take actions without adequate user consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file says external content must never be treated as instructions, yet it directs the agent to follow BOOTSTRAP.md automatically if present. That creates a direct prompt-injection path: any actor able to place or modify BOOTSTRAP.md can steer agent behavior and potentially induce unsafe file, tool, or data operations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The heartbeat checklist significantly expands beyond state management and proactive collaboration into workstation administration and personal workflow surveillance, including app closure, browser hygiene, desktop cleanup, and monitoring emails and calendars. In an agent skill, this increases the action surface and creates opportunities for privacy-invasive or destructive behavior without explicit, task-scoped user consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The system cleanup section authorizes operational changes to the user's environment that are not justified by the skill's advertised role. Closing apps, modifying browser state, and cleaning the desktop can cause data loss, disrupt user workflows, or normalize unsafe autonomous behavior in contexts where the agent should only manage its own state.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The reverse-prompting triggers are broad and activate during ordinary conversation based on vague conditions like learning new context or things feeling routine. That can cause the agent to opportunistically solicit more information or initiate new workflows without clear user intent, increasing privacy and scope-creep risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Using 'long conversation' as the trigger for curiosity questions is ambiguous and creates permission for the agent to probe for personal details in many normal interactions. In combination with the skill's persistence features, this can drive excessive collection of user data without meaningful boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding flow has the agent automatically populate USER.md and SOUL.md from user answers, but it does not provide clear warnings or consent controls for persistent retention of potentially sensitive personal information. This creates a privacy and data-governance risk, especially if users do not realize ordinary conversation will be written to files.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The WAL trigger says to scan every message for a wide range of common content such as corrections, names, preferences, decisions, and URLs, which effectively makes the skill continuously active. Ambiguous always-on triggers increase the chance of over-collection, accidental activation, and conflicts with user intent or platform policies.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The compaction recovery feature uses vague natural-language triggers like 'continue' or 'where were we?' that are common in ordinary conversation. This can cause the recovery routine to fire unexpectedly, leading to unnecessary file reads, state reconstruction, or disclosure of persisted context when the user did not intend that behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The quick start directs the agent to auto-populate persistent files like USER.md and SOUL.md from the user's answers without a direct privacy or retention warning. Automatically writing user-provided information to disk can surprise users and create avoidable retention of sensitive or personal data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The memory architecture instructs pervasive logging across multiple files and states that important information should be written down immediately. Without an upfront warning and consent model, this creates broad persistent capture of user content, including potentially sensitive details, across several durable locations.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The working buffer protocol requires logging every exchange after a threshold, including the human's full message and an agent summary, but does not clearly warn that this amounts to transcript retention. Comprehensive conversational logging increases privacy risk, exposure during later retrieval, and the blast radius if files are accessed by other tools or users.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The WAL trigger criteria are extremely broad, covering ordinary conversational elements like names, preferences, decisions, and numbers in 'every message.' In practice this can cause the skill to activate persistent writes on routine user input, increasing unintended data capture and causing the agent to over-apply stateful behaviors without explicit consent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The compaction-recovery auto-triggers include vague phrases such as 'continue' or 'where were we?' that occur naturally in ordinary conversations. This can spur file reads and recovery behavior when not actually needed, leading to unnecessary retrieval of stored context and increasing exposure of previously logged user data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The onboarding flow says the agent will auto-populate USER.md and SOUL.md from conversational answers, but it does not present a clear warning that personal data will be written into persistent files. That creates a consent and privacy gap, especially because users may answer informally without realizing their responses become durable profile records.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The self-improvement guidance tells the agent to update AGENTS.md, TOOLS.md, or relevant files immediately after mistakes or lessons learned, without strong scope limits or approval requirements. This can cause drift in operational policy, accidental weakening of safeguards, or recursive self-modification based on transient errors or adversarial inputs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instruction to move old screenshots to trash directs the agent to alter user files without explicit warning, consent, or safe criteria for identifying what is disposable. Screenshots may contain sensitive records, evidence, work artifacts, or unsaved information, so autonomous deletion creates both privacy and integrity risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Periodic review of emails and calendar entries instructs the agent to access highly sensitive personal and professional data without any privacy notice, scope limitation, or consent boundary. In a proactive heartbeat flow, this can normalize background surveillance and expose confidential communications, schedules, and relationships beyond the user's immediate request.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This template explicitly encourages storing sensitive personal information such as background details, preferences, important dates, relationships, and ongoing context in a long-term memory file, but provides no privacy notice, minimization guidance, retention limits, or handling restrictions. In an agent skill focused on persistent memory and proactive behavior, this increases the chance of collecting and retaining personal data beyond user expectations, which can lead to privacy harm or accidental disclosure if the file is synced, exposed, or reused.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file tells users the agent will update USER.md and SOUL.md with personal context after onboarding, but it does not clearly disclose up front that answers will be stored persistently across files. This creates a consent and privacy risk because users may share sensitive personal or workplace information without understanding it will be retained and reused later.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
assets/HEARTBEAT.md:11

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/security-patterns.md:9

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL-v2.3-backup.md:179