Daily-to-Goal MCP

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a goal/task management integration with disclosed external API read/write behavior, with a usability risk from broad trigger wording but no artifact-backed malicious behavior.

Before installing, confirm that you want this skill to read and write data in the Daily-to-Goal account tied to its API key. Use a least-privilege or dedicated API key if available, and be careful with generic requests like creating tasks or managing goals if you use multiple goal-tracking tools.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill advertises trigger phrases such as "manage my goals", "create a task", and especially generic product references like "goal tracking", which are broad enough to match common user requests outside this specific integration. That can cause unintended invocation of a capability that performs real read/write actions against an external SaaS using a privileged API key, increasing the chance of accidental data access or modification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal