Security audit

Session Summary

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local session-summary helper that saves to an Obsidian folder, with privacy cautions around broad trigger phrases and saved session details.

Install only if you want session details saved into the configured Obsidian vault. Review the vault path, use explicit summary commands, and avoid saving sessions that include secrets or sensitive project details unless you are comfortable keeping them in local notes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrases are short and generic enough that ordinary conversation about ending a session or asking for a summary could invoke the skill unintentionally. Because the skill writes data to disk, accidental activation can cause unwanted file creation or persistence of sensitive session content without deliberate user intent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill advertises automatic saving to a local Obsidian vault but does not provide an explicit warning or consent step around file writes. This is dangerous because session summaries may include sensitive project details, and silently persisting them to a fixed path can create privacy, retention, or data leakage risks on the host system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal