Workday Music Greeter

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it schedules weekday music scene changes and greeting emails, with the main caution being its optional cron installer.

Install only if you want recurring weekday music changes and greeting emails. Before running install-cron.sh, inspect the fixed schedule, confirm WMG_MAIL_TO and SMTP credentials are correct, and test run.sh with --dry-run first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script non-interactively overwrites the user's crontab by piping content directly into `crontab -` with no confirmation, dry-run, or explicit warning at the point of change. Even though this appears intended as a convenience installer, persistence changes to scheduled tasks can surprise users, break existing automation if parsing fails, or create unintended recurring execution.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal