Back to skill

Security audit

Feedback Collector

Security checks across malware telemetry and agentic risk

Overview

This is a simple feedback prompt skill that stores user satisfaction notes locally, with some privacy and auto-trigger caveats but no evidence of hidden or harmful behavior.

Install only if you are comfortable with the assistant asking for satisfaction feedback after tasks and saving those responses locally. Avoid putting secrets or sensitive case details into feedback, and periodically review or delete the memory and preference files if you do not want a long-term record.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are generic enough to match ordinary conversation, which can cause the skill to activate unexpectedly in unrelated contexts. Because this skill collects feedback and writes to persistent files, accidental invocation can lead to unintentional data collection or preference updates without clear user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README states that feedback is stored in `memory/feedback-log.md` and `USER-PREFERENCES.md`, but it does not clearly warn users that their responses may persist across sessions. This creates a privacy and transparency issue because users may disclose opinions or behavioral preferences without understanding they are being retained and used later.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill is configured to trigger automatically after broad categories of common actions, which can cause frequent unsolicited prompts and repeated collection of user feedback. In context, that also increases the chance of storing user responses and task details to persistent memory without clear, per-event consent, creating privacy and usability risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly records success, failure, and improvement details to persistent memory files but does not warn the user that their feedback and task-related details will be stored. This is dangerous because users may disclose sensitive information in feedback, and persistent logs can accumulate behavioral data and error context that outlives the original interaction.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.