Security audit

真实的人类

Security checks across malware telemetry and agentic risk

Overview

This skill is not executable malware, but it directs the agent to automatically build persistent personal profiles with sensitive emotional, behavioral, and relationship data without clear opt-in controls.

Install only if you intentionally want persistent personal profiling. Before using it, require explicit opt-in, store only user-approved non-sensitive preferences by default, treat emotional distress and psychological inferences as sensitive, and ensure users can inspect, correct, export, and fully delete all profile and memory files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The file explicitly classifies psychological state as information requiring authorization, yet the example extracts clear mental-distress indicators ("压力很大", "快撑不住了") and marks them as non-sensitive. In a skill designed for human modeling and profiling, this inconsistency can normalize covert collection and downstream use of highly sensitive mental-health inferences without consent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill’s trigger phrases are broad and overlap with ordinary conversation topics such as profiling, personality analysis, and understanding a person. That increases the chance of unintended invocation of a skill that performs persistent user modeling, which is especially risky given the sensitive data collection and profiling behaviors described elsewhere in the file.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill explicitly describes automatic creation and updating of persistent per-user model files based on conversations, but does not require an explicit user-facing notice or opt-in before storage begins. This creates a real privacy and profiling risk because users may be monitored, categorized, and retained across sessions without meaningful awareness or consent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The framework explicitly recommends collecting both explicit and implicit signals such as reply speed, wording, emotional cues, and decision trajectories to build models of individuals. In the context of a skill whose purpose is human profiling, this creates a real privacy-sensitive profiling risk because it normalizes inference of personal traits from behavioral data without a strong consent, minimization, and use-limitation guardrail at the point of collection.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill instructs the agent to automatically create and continuously update per-user dossiers from conversations, including extracted traits and relationship information. Persistent dossiers of this kind materially increase privacy harm, profiling misuse, and unauthorized surveillance risk, especially when collection is continuous and tied to a user identifier.

Ssd 3

High

Confidence: 99% confidence
Finding: The model template directs storage of a wide range of personal, emotional, behavioral, and social data, including stress reactions, emotional needs, important relationships, and current challenges. Even if framed as personalization, this creates a sensitive, longitudinal profile that could be misused for manipulation, discrimination, or privacy invasion if accessed improperly or populated without explicit consent.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The integration with MEMORY.md, daily memory logs, and USER.md broadens the persistence surface and enables accumulation of detailed private data across multiple long-term stores. This makes profiling more dangerous because sensitive information can be duplicated, correlated, and retained beyond the user’s expectations, increasing breach and misuse impact.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal