Back to skill

Security audit

Skill Box

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate self-reflection skill, but it asks for broad access to logged-in social accounts, chats, screenshots, and persistent local profile files without strong enough scoping and privacy controls.

Install only if you are comfortable letting the agent inspect carefully selected personal accounts, chats, screenshots, or digital-history exports. Prefer pasted excerpts or exports over live logged-in browsing, approve each platform and timeframe explicitly, avoid full-account scans, and review or delete files under profiles because they may preserve sensitive personal inferences.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (33)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README makes a strong privacy/security claim that 'all analysis is local' and 'nothing is uploaded to any server' while also documenting browser-based fetching of social-platform pages and public URLs. Even if the author means processing results are stored locally, network access to third-party platforms still exposes user activity and credentials/session context, so the claim is misleading and may cause users to share sensitive data under false assumptions.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
This is effectively the same underlying issue as SDI-1: a contradictory privacy claim that understates the data exposure created by remote page retrieval. In a skill centered on harvesting highly personal social-history data, misleading privacy assurances increase the risk of unsafe user behavior and uninformed consent.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill presents itself as a reflective archaeology/self-analysis tool, but it also defines persistent profile lifecycle operations such as storage, rollback, listing, and deletion. That materially expands the data-handling scope into long-term retention and account-like state management, increasing privacy risk and making the actual capability broader than the user-facing description suggests.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to connect to a logged-in user browser and inspect personal account pages across multiple platforms. Even with a 'read only' rule, this grants access to highly sensitive authenticated content and broadens the skill from reflection into privileged data collection, creating substantial privacy and overreach risk if the agent navigates beyond what the user expects.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The statement that 'all analysis is local, no upload to any server' is misleading in the context of browser/web fetching from remote services. Users may infer stronger privacy guarantees than the implementation can actually provide, leading them to share or authorize access under false assumptions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The prompt expands from general self-reflection into collecting historical account data and storing it as persistent profile artifacts. That creates unnecessary retention of sensitive personal content and inferred traits, increasing privacy and misuse risk beyond what a user would reasonably expect from a reflective 'archaeology' tool.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs browsing logged-in social accounts and retrieving private or semi-private historical content. Even with user participation, this materially increases exposure of sensitive archives and normalizes overbroad access to personal data for a non-essential purpose.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The prompt explicitly instructs the agent to access a user's logged-in social-media pages and collect personal data to infer behavioral patterns. This expands data access beyond what is clearly necessary for the stated entertainment/persona purpose and creates a privacy risk, especially because the data may be sensitive and user-scoped.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Instructing the agent to browse personal pages after login for a speculative 'past life' inference is disproportionate to the feature's purpose and may expose private account data. The context makes this more dangerous because the task is interpretive/entertainment-oriented, not a necessity-driven workflow requiring authenticated access.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The prompt directs the agent to write generated persona outputs to profile files, creating persistent storage of user-derived personal inferences. Persisting this data is not obviously required for the immediate interaction and increases risk of unauthorized retention, reuse, or later exposure.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The document explicitly prioritizes having the agent access and collect data from users' logged-in social-media pages, which exposes highly sensitive personal information and expands data access beyond what is necessary for a reflective 'past life' analysis feature. Even if framed as user-authorized, this creates substantial privacy, consent, and data-minimization risks because the agent may access far more information than the user expects.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The capability to browse authenticated personal pages on third-party platforms is not adequately justified by the stated purpose of speculative self-reflection, making the access disproportionate to the feature's needs. This mismatch increases the chance of unnecessary collection of private data and misuse of account-scoped information.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README encourages direct collection of users' social-platform data via browser-assisted access without a prominent sensitivity warning. Because the skill targets intimate historical content across social accounts, users may expose large volumes of personal, embarrassing, or account-linked data without understanding the privacy, consent, and third-party access risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents generation and retention of structured profile files derived from deeply personal data, but does not clearly warn users that these artifacts will persist locally and may contain sensitive inferences. Persistent JSON/Markdown profiles increase the chance of later disclosure through device compromise, accidental sharing, backups, or multi-user systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill encourages browser-based access to personal accounts but does not present a prominent, explicit warning about the sensitivity of authenticated content that may be exposed during navigation, snapshots, or screenshots. In this context, the omission is dangerous because the skill targets deeply personal digital history across social platforms, making accidental over-collection especially likely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill writes structured profiles and readable reports to local storage, but it does not clearly warn users that these outputs may contain sensitive inferences and persist across sessions. Because the tool is designed to reconstruct intimate behavioral patterns, retention itself creates a meaningful privacy and misuse risk, especially on shared devices or poorly secured systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill proposes building a local AI 'clone profile' from analysis of a user's public and private persona, which necessarily involves highly sensitive behavioral and psychological data. Although it says processing is local, it does not require explicit informed consent, data minimization, retention limits, or safeguards against analyzing third-party private content, creating a meaningful privacy and profiling risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The prompt explicitly instructs collection of highly sensitive private communications, including private chats, family conversations, and browser-assisted capture of chat interfaces, but provides no meaningful privacy notice, consent boundary, minimization rule, or retention safeguard. This is dangerous because it normalizes over-collection of intimate third-party and user data and can expose sensitive relationships, behavioral patterns, and personal content to unauthorized storage or downstream misuse.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt requires writing sensitive excerpts and behavioral interpretations to files without informing the user that this data will be stored locally. Silent persistence of intimate historical content and psychological inferences materially raises confidentiality, retention, and secondary-use risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to browse logged-in personal accounts and fetch historical content without an explicit privacy warning or consent checkpoint tied to that access. This can cause users to underestimate the sensitivity of what is being exposed and the breadth of retrieval being performed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt explicitly prioritizes collecting browser-visible digital footprint data after user login and using it to build a personal 'epitaph' profile, but it provides no privacy notice, consent boundary, minimization rule, or retention guidance. Because the data concerns intimate behavioral history and identity-related content, the lack of handling safeguards creates a real privacy risk even if the feature is framed as reflective rather than malicious.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The output spec stores highly sensitive personal and existential data—including regrets, desired legacy, inferred social metrics, and generated characterizations—to local JSON and Markdown files without warning the user that this information will persist on disk. Persistent storage of such intimate profile data increases the chance of unintended disclosure through shared machines, backups, syncing, or later reuse beyond the user's expectations.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs collection of highly sensitive cross-platform personal activity data, including social history, usage patterns, deleted content metrics, and account timelines, and it writes the aggregated profile to local files under `profiles/legacy_{timestamp}.json` and `.md` without any explicit privacy notice, consent flow, data minimization, or retention limits. Centralizing this data increases the risk of privacy harm, profiling, unintended disclosure, and over-collection, especially when browser-assisted account access and screenshots are involved.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill tells the agent to inspect a user's personal social-media pages after login without an explicit privacy warning or informed-consent language in the prompt. That omission is dangerous because users may not understand that authenticated personal content could be accessed and used for profile generation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt stores generated profiles to local files without clearly informing the user that their data-derived profile will be retained. Silent storage of behavioral inferences increases privacy and compliance risk because users may assume the content is ephemeral.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.