Back to skill

Security audit

Kaizen

Security checks across malware telemetry and agentic risk

Overview

The skill is a local Kaizen note tracker with misleading reference-style documentation, but its file changes are local, user-invoked, and not malicious.

Install only if you want a local note tracker, not just a Kaizen reference. Avoid storing confidential operational or personnel details, and be careful with remove and export because they can delete records or copy them into the current directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill is presented as a reference-only Kaizen guide, but the documented command surface implies executable scripts and the analysis reports additional stateful filesystem behaviors such as persistent storage, deletion, export, config writes, and disk-usage reporting. That mismatch is dangerous because users may invoke the skill expecting passive documentation while it actually performs local file operations, increasing the chance of unintended data modification or exposure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says this is a Kaizen reference/coaching skill, but the script actually performs persistent local data collection, search, deletion, export, and configuration changes. That mismatch is dangerous because users may invoke the skill expecting informational guidance while unintentionally creating and manipulating local files containing potentially sensitive notes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script writes all added entries to persistent storage under ~/.kaizen without an upfront warning or consent flow. In the context of a skill described as a process-improvement reference, users may input operational notes, incidents, or other sensitive content and not realize it is being retained on disk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The remove command deletes a selected line from the persistent datastore immediately, with no confirmation, preview, backup, or undo. This can lead to accidental loss of audit or process-improvement records, especially since the skill does not present itself as a destructive data-management tool.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The export function writes accumulated user data to a new file in the current working directory without clear disclosure in the skill description. This can unintentionally duplicate sensitive notes into less protected locations or into repositories/shared directories if run from those paths.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.