Back to skill

Security audit

Therapy Mode

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it persistently stores highly sensitive therapy notes and its helper script writes them to a hardcoded local path that does not match the documented workspace location.

Install only if users understand that therapy conversations may be written as plaintext local files and reused across sessions. The publisher should make note-taking opt-in, disclose exactly what is stored and where, replace the hardcoded path with the actual workspace path, restrict file permissions or encrypt notes, and keep destructive operations explicit and user-directed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to read and write local files for therapy notes, but no explicit permissions or user-facing consent boundaries are declared. In a mental-health context, silent file persistence is risky because highly sensitive disclosures may be stored or accessed without clear authorization or visibility.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The description frames the skill as therapeutic support, but the embedded CLI supports destructive and administrative file operations such as delete, archive, restore, and direct line edits. This mismatch increases the chance that users or hosting systems underestimate the data-handling and deletion capabilities of the skill, especially for sensitive mental-health records.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill mandates ongoing creation of therapy notes containing emotions, patterns, interventions, and user state, but it does not clearly warn the user that their disclosures will be stored persistently. Because this is mental-health data, the privacy sensitivity is unusually high and undisclosed retention materially increases risk of harm if the files are accessed, mishandled, or retained longer than expected.

Missing User Warnings

High
Confidence
97% confidence
Finding
The crisis protocol instructs documenting risk concerns and actions taken, yet the skill does not warn users that crisis disclosures may be recorded in notes. Recording suicidal ideation, self-harm, or other crisis details without explicit notice is especially dangerous because it creates a highly sensitive record at the moment of greatest vulnerability.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The CLI exposes archive, restore, and permanent delete operations for therapy records without a clear user-facing explanation of persistence lifecycle or destructive handling. Users may reasonably assume a conversational support tool is ephemeral, so undisclosed retention and deletion semantics create privacy and integrity risks.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This tool is explicitly designed to store highly sensitive therapy notes, but the CLI provides no disclosure about local persistence, visibility on screen, or any privacy protections. In this context, undisclosed storage and display of mental-health data increases the risk of accidental exposure to other local users, backups, logs, shoulder-surfing, or compromised endpoints.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Session creation and note updates write raw therapy content directly to disk without consent prompts, secure storage controls, or access restrictions. Because the data concerns therapy sessions, the skill context makes this substantially more dangerous than ordinary note-taking: compromise of the host, backups, sync tooling, or other local accounts could expose deeply sensitive personal and clinical information.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instructions direct the AI to persist and synthesize sensitive disclosures across turns, including emotions, patterns, interventions, and inferred user state. Synthesis increases sensitivity because the resulting notes may contain higher-risk interpretations and summaries beyond what the user explicitly intended to store.

Ssd 3

Medium
Confidence
94% confidence
Finding
The required post-session review and professional-style summary encourage full-session synthesis, including clinical impressions and future recommendations, which amplifies the amount and sensitivity of stored information. In a therapy context, these summaries can reveal intimate details and inferred mental-health assessments that are more harmful if exposed than raw chat alone.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill encourages remembering previous conversations and reviewing archived notes, creating long-term linkage of therapy history without explicit per-session consent. This makes the context more dangerous because mental-health records accumulate over time and can expose patterns, trauma history, and crisis episodes far beyond a single interaction.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.