Security audit

个人待办管理

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local todo-manager skill with limited workspace persistence, though users should be careful with broad triggers and deletion behavior.

Install only if you are comfortable with the agent maintaining todo state in local workspace JSON files. Use explicit item numbers or exact task names for changes, and ask the agent to confirm before deleting or changing fuzzy-matched todos.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The examples expand the skill from simple todo management into GitHub issue linkage and local repository/path handling, which are materially different capabilities from those declared in the metadata. This can mislead reviewers and users about the skill’s effective access scope, and it introduces pathways to expose repository metadata and local environment details without clear justification.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The example shows the assistant accepting a local filesystem path, detecting a git project, and reading the current branch. Accessing local paths and repository state is sensitive because it reveals workstation structure and development context, and it is not obviously necessary for basic todo management. In this skill context, that makes the behavior more dangerous, not less, because users would reasonably expect simple list operations rather than environment inspection.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger conditions are broad enough to match common conversation about tasks, plans, or TODOs, which can cause unintended activation of a skill that reads and modifies local workspace files. Because this skill supports create, update, and delete actions, accidental invocation could lead to unwanted state changes or data modification without the user clearly intending to use the todo manager.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This workflow performs writes to workspace JSON files but does not state that local data will be created or modified, so users may not understand that their request causes persistent filesystem changes. In an agent environment, silent persistence increases the risk of surprise data creation, leakage into the workspace, and unintended modification of project state.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The delete flow instructs the agent to remove items from storage without an explicit deletion warning or confirmation, which creates a clear risk of irreversible or hard-to-recover data loss. This is especially risky because matching is fuzzy, so the wrong item could be selected and deleted based on an ambiguous phrase.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The deletion flow performs immediate removal with no confirmation, undo option, or safeguard against ambiguous matches. That creates a real integrity risk: a mistaken or adversarially induced command could irreversibly delete task data. In a todo-management skill, destructive actions are central, so missing confirmation is more dangerous than in a read-only context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.