Productivity Helper #1

Security checks across malware telemetry and agentic risk

Overview

This looks like a simple productivity helper, but it requests broad shell and file access without explaining why that power is needed.

Review before installing. The visible files do not show malicious behavior, but this planning helper asks for more local access than it explains. Install only if you are comfortable with the agent potentially running commands and reading or writing local files, and verify the external setup or GitHub instructions before following them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The activation guidance is extremely broad and maps to ordinary productivity requests like organizing tasks, planning a day, or tracking time. This creates a trigger-collision risk where the skill may activate for routine user intents without clear invocation boundaries, causing unintended tool-enabled behavior in common conversations.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The example phrase, "Help me plan my day with 5 tasks," is a natural everyday request that many users would make outside any intent to invoke this skill. Because the skill has Bash, Read, and Write available, vague trigger examples increase the chance of accidental activation of a tool-capable skill during normal conversation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal