Back to skill

Security audit

work-log

Security checks across malware telemetry and agentic risk

Overview

This is a local work-log skill with disclosed storage and reminder behavior that matches its stated purpose, though users should avoid logging sensitive workplace details casually.

Install if you want a local plaintext work-log assistant with recurring progress reminders. Use explicit commands when adding, deleting, or completing tasks, and do not put secrets, credentials, customer-confidential details, or regulated data into the log unless local storage on your device is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes very generic phrases such as “记一下” and “查日志,” which can plausibly appear in ordinary conversation without a clear intent to invoke persistent logging behavior. Because this skill writes to a local file and can create recurring reminders, accidental activation could cause unintended data storage, misleading reminders, or exposure of sensitive work details.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The operational rules rely on ambiguous natural-language commands like “任务已完成” or “完成了XXX” to update records and disable automation tasks, but they do not define strong matching boundaries for which task should be modified. In a conversational setting, this can lead to the wrong task being marked complete or the wrong reminder being disabled, undermining data integrity and workflow reliability.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly stores logs under a persistent path in the user profile, potentially including sensitive work content, but it does not present a clear user-facing warning about retention, visibility, reminder creation, or deletion behavior. Users may unknowingly persist confidential project, customer, or operational details locally, increasing privacy and security risk on shared or managed devices.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.