Productivity Helper #4

Security checks across malware telemetry and agentic risk

Overview

This is a simple productivity-planning skill with broad optional tool permissions but no evidence of hidden, destructive, or deceptive behavior.

Before installing, consider whether this general productivity helper really needs Bash, Read, and Write access for your use case. Treat the external setup guide and manual GitHub clone as separate materials to review before following them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The activation guidance is extremely broad and matches routine productivity requests such as organizing tasks, planning a day, or reviewing progress. This can cause the skill to trigger for generic user intents and unnecessarily grant Bash/Read/Write-capable behavior in situations where no specialized skill is needed, increasing the chance of unintended tool use or prompt-surface expansion.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The example trigger phrase, 'Help me plan my day with 5 tasks,' is a common natural-language request that many users could make in ordinary chat. Because the skill has Bash, Read, and Write permissions, a generic trigger example raises the risk of accidental invocation and unnecessary exposure of file-system or command-execution capabilities during benign productivity conversations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal