Therapy Mode

Security checks across malware telemetry and agentic risk

Overview

This therapy skill is mostly coherent, but it stores very sensitive mental-health notes persistently and uses a hardcoded local path that does not match the documented workspace location.

Install only if you are comfortable with therapy conversations being written to local plaintext files. Before broad use, the publisher should replace the hardcoded path with the actual workspace path, make note-taking opt-in, clearly explain what is stored and where, add secure storage or restrictive permissions, and keep destructive actions explicit and reversible where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly instructs file reads and writes for therapy notes, but no explicit permissions declaration accompanies those capabilities. In a therapy context, undeclared persistence and file access are especially risky because they can store sensitive mental-health disclosures and surprise users or operators who expect a conversational-only skill.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 83% confidence
Finding: The description frames the skill as therapeutic support with session notes, but the documented behavior includes destructive and administrative record operations such as delete, archive, restore, and line-level editing. That mismatch is dangerous because reviewers and users may not appreciate that the skill can alter or permanently remove sensitive records, creating confidentiality, integrity, and auditability risks.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill mandates persistent storage of highly sensitive therapy notes each turn, including emotions, patterns, interventions, and user state, without any visible consent flow or privacy warning. In a mental-health setting this materially increases harm because users may reveal trauma, suicidality, medication, or relationship details without understanding they are being written to disk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The crisis protocol instructs documentation of risk concerns and actions taken, but the skill does not clearly warn users that crisis disclosures may be recorded in persistent notes. This is especially sensitive because crisis conversations often include suicidal ideation, self-harm, means, intent, and emergency details, which are among the most sensitive categories of personal data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The CLI exposes archive, restore, and permanent delete operations for therapy records without warning about destructive consequences or the sensitivity of the data. This creates a realistic risk of accidental or unauthorized loss of mental-health records, and users may not understand that deletion is irreversible.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: This tool stores and displays highly sensitive mental-health session notes in plaintext under a fixed local path with no access-control checks, encryption, consent notice, or privacy safeguards. In the context of therapy records, mishandling confidentiality is especially dangerous because disclosure could cause severe privacy harm, stigma, or downstream misuse of protected personal and health information.

Ssd 3

High

Confidence: 95% confidence
Finding: The instructions require ongoing logging and later review of sensitive therapy disclosures across sessions, including synthesized clinical-style impressions and connections to prior history. That is dangerous because it expands both the amount and interpretive depth of stored data, increasing privacy exposure, profiling risk, and harm from unauthorized access or misuse.

Ssd 3

High

Confidence: 97% confidence
Finding: The session-notes workflow operationalizes a persistent written record of user inputs, arousal state, interventions, and key insights in workspace files, turning sensitive conversations into durable local records. In the therapy context, this is more dangerous than ordinary logging because the content is likely to include intimate mental-health data, crisis indicators, and inferred psychological patterns.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal