Timeblock

Security checks across malware telemetry and agentic risk

Overview

Timeblock is a disclosed local time-block logging tool with no evidence of network access, credential use, destructive behavior, or hidden execution.

Install only if you are comfortable storing time-block notes locally under ~/.local/share/timeblock. Avoid entering highly sensitive locations, personal details, or confidential work information unless the device and local account are trusted, and periodically review or delete the logs if you no longer need them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The implementation does not match the declared purpose of a day-planning/time-blocking skill and instead exposes a broad generic logging surface. This kind of capability mismatch is dangerous because it can mislead users and calling agents into supplying sensitive planning or personal data to a tool that simply stores and enumerates it, increasing data collection risk without clear justification.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The export and search features provide broad access across all accumulated logs, which exceeds the stated need of a time-block planner and can expose previously entered user content in bulk. In a skill context, this increases the chance of unintended disclosure of sensitive schedules, notes, or personal information to users, downstream tooling, or other local processes with access to the exported files.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The script branding and documentation imply a specialized time-block planning tool, but the implementation behaves as a generic local data logger. Misrepresentation is a security concern because it lowers user suspicion and can induce disclosure of sensitive information under false assumptions about functionality and handling.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script persistently records raw user input to local log files without clear notice, consent, minimization, or retention limits. Because a time-planning skill is likely to receive sensitive personal schedules, tasks, locations, and habits, silent persistence creates privacy and confidentiality risk even without remote exfiltration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal