Smart Surprise

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it creates an always-running surprise messenger that can contact users, learn preferences silently, and optionally use calendar credentials.

Install only if you explicitly want an assistant that can message you on its own at random intervals until you remove its cron jobs. Before enabling it, set the correct timezone, quiet hours, channel target, and interval bounds; disable the calendar topic unless you are comfortable with Google Calendar credential access; periodically review cron jobs and topics.md so you can stop the chain or correct learned preferences.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (10)

Vague Triggers

High

Confidence: 97% confidence
Finding: The activation guidance is broad enough to permit proactive outreach whenever the agent 'wants' to reach out, rather than only after a narrowly scoped, informed user opt-in. In a skill that can send outbound messages and self-schedule indefinitely, vague activation criteria materially increase the chance of unwanted messaging, consent bypass, and spam-like behavior.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill describes an autonomous, self-perpetuating outbound messaging system but does not prominently warn users that it will continue scheduling itself and contacting them without a new manual action each time. That omission is dangerous because users may install it without understanding the persistence, frequency randomness, or that messages will be sent over external channels automatically.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The instructions say the agent should silently update learned preferences based on user behavior, creating persistent user-related state without clear notice or consent. Silent retention and modification of behavioral inferences can surprise users, create privacy concerns, and amplify profiling beyond what they reasonably expect from a messaging skill.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: Defaulting to a specific timezone without user opt-in can cause incorrect delivery times, including messages outside intended waking hours, and may reveal poor assumptions about the user's locale. In a proactive messaging skill, wrong locale defaults increase nuisance and consent-related risk because quiet-hour protections may not work as the user expects.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The file explicitly states it is read and updated by the agent on every run and that topic preferences are silently modified after each interaction. This creates an unconsented local state mutation mechanism that can alter user data or behavior over time without a clear runtime notice, confirmation step, or audit trail. The added instruction that users may manually edit the file increases the sensitivity because it encourages direct trust in a mutable control file.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill directs the agent to retain and reuse preference signals across sessions and notes that each run uses the main session with conversation history. Persistent cross-session behavioral profiling raises privacy and data-minimization concerns, especially because it is described as silent and may use broad conversation context rather than narrowly scoped topic preferences.

Unbounded Resource Access

Medium

Category: Excessive Agency
Content: 1. The initial cron fires at the scheduled time 2. The agent reads config + topics.md, composes a message, sends it, updates preferences, schedules the next random trigger, then deletes itself 3. The next trigger fires at the random time (between `minIntervalMinutes` and `maxIntervalMinutes`) 4. Repeat forever The agent continuously learns your preferences over time by updating topics.md after each interaction.
Confidence: 95% confidence
Finding: Repeat forever

Session Persistence

Medium

Category: Rogue Agent
Content: Smart Surprise transforms a passive AI assistant into a **proactive companion** that reaches out to users at unpredictable moments — with greetings, care, tips, news, or just a friendly chat. Over time it learns what the user likes and tailors content accordingly, making every interaction feel more personal. Unlike fixed scheduled tasks that feel mechanical, Smart Surprise uses a **chain of self-deleting one-shot cron jobs** to create organic, surprise-driven interactions. The chain runs indefinitely and **learns continuously** from what the user responds to. ## How the Core Loop Works
Confidence: 98% confidence
Finding: create organic, surprise-driven interactions. The chain runs indefinitely and **learns continuously** from what the user responds to. ## How the Core Loop Works ``` [One-shot cron fires at scheduled

Session Persistence

Medium

Category: Rogue Agent
Content: --- ## Step 2: Create the Initial Cron Trigger Run this **once** to start the self-perpetuating chain. The initial trigger should be **~5 minutes after setup** so the agent has time to initialize. Generate the UTC timestamp dynamically:
Confidence: 97% confidence
Finding: Create the Initial Cron Trigger Run this **once** to start the self-perpetuating chain. The initial trigger should be **~5 minutes after setup** so the agent has time to initialize. Generate the UTC

Session Persistence

Medium

Category: Rogue Agent
Content: openclaw cron list | grep -i surprise openclaw cron rm <job-id> # repeat for each job found # Recreate with correct session target (isolated) openclaw cron add \ --name "Smart Surprise" \ --session isolated \
Confidence: 93% confidence
Finding: create with correct session target (isolated) openclaw cron add \ --name "Smart Surprise" \ --session isolated \ --delete-after-run \ --at "<future-UTC-time>" \ --message "Read ~/.openclaw

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal