Manage Your Family's todos

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local family todo-list skill with expected file storage and no evidence of hidden network access, exfiltration, or unsafe automatic behavior.

Reasonable to install for a local household todo workflow. Treat the stored todo file as plain local data, avoid putting highly sensitive information in tasks, and do not rely on the user ID fields as real security controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Low

Confidence: 85% confidence
Finding: The filter logic grants visibility not only to the named owner's tasks and 'Family' tasks, but also to any task whose owner equals the configured identifier value for that owner. This creates inconsistent access-control semantics and can expose another user's tasks if task ownership is stored using configured IDs rather than intended display names.

Intent-Code Divergence

Low

Confidence: 80% confidence
Finding: The configuration labels the shared bucket as 'Shared', while the rest of the code treats shared tasks as owner 'Family'. This mismatch can cause shared tasks to be omitted from expected views or misclassified, weakening separation logic and causing accidental disclosure or concealment of tasks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal