FocusTimer Pomodoro Timer via Agent

Security checks across malware telemetry and agentic risk

Overview

This is a local Pomodoro timer skill that records focus sessions on disk and shows no evidence of hidden network access, credential use, or destructive behavior.

Install only if you are comfortable with focus session history being stored locally. Avoid entering sensitive client, health, legal, or personal details as task names unless local disk history is acceptable in your environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill persists task names and session history to a local JSON file without any disclosure, consent flow, or controls around where that data is stored. While this is not an active code-execution flaw, it is a real privacy issue because user-entered task names may contain sensitive work, health, or personal information that can be recovered by other local users, backups, or logs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal