Productivity Helper #5

Security checks across malware telemetry and agentic risk

Overview

The scan only supports a caution about broad activation, not evidence of hidden or harmful behavior.

Install only if you are comfortable with a planning skill that has file-write and shell-capable permissions. Prefer explicit invocation and review any proposed file or command actions before approving them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The activation guidance is broad enough to match routine user requests such as organizing tasks, planning a day, or tracking work, which creates a risk of unintended skill invocation. Because the skill has Bash and Write permissions, accidental activation could expand the assistant's tool use in ordinary conversations beyond what the user explicitly intended.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The example trigger, 'Help me plan my day with 5 tasks,' is a highly generic natural-language request that overlaps with normal assistant usage. This increases the chance that the skill will be invoked unintentionally during ordinary conversation, again exposing Bash/Write-enabled behavior without clear user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal