Back to skill

Security audit

Get To It

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local task assistant, but it under-discloses privacy-sensitive calendar network access and silently stores long-term personal context.

Install only if you are comfortable with a local SQLite database storing your tasks, calendar-derived event details, and personal preferences. Do not connect private iCal URLs unless you trust the source and understand that morning briefs may fetch them automatically; use the listed list-ltm, clear-ltm, list-calendars, and disconnect-calendar commands to audit or remove stored data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest says no data leaves the machine, but the skill supports connecting to remote iCal URLs and formatting content for Telegram delivery. Even if Telegram output is only generated locally, the documented workflow encourages outbound sharing, and remote calendar sync definitely transmits network requests and metadata off-device.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata promises 'no data leaves your machine,' but this file conditionally imports urllib and later supports remote iCal URL fetching. That is a direct trust-boundary violation because users may rely on the local-only claim while the code can initiate outbound network requests and process remote calendar content.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Remote calendar fetching adds network capability to a tool marketed as local-first, creating SSRF-like and privacy risks because arbitrary URLs can be registered and fetched. A user or upstream component could cause requests to internal services or sensitive endpoints, and remote servers will also learn that the machine accessed the calendar URL.

Vague Triggers

Medium
Confidence
78% confidence
Finding
Very broad trigger phrases like '開始', 'review', or 'remember' can cause the skill to take actions the user did not intend, including modifying tasks or storing memory. In an agent setting, ambiguous activation increases the risk of unauthorized state changes and accidental data retention.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly instructs silent storage of personal preferences, constraints, and insights without notifying the user or obtaining consent. This is dangerous because it creates hidden profiling and retention of sensitive behavioral data that users may not expect, especially given the local-first privacy framing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Calendar sync fetches remote or local calendar sources and stores event summaries, times, and locations into a persistent database without any runtime disclosure in that path. This is dangerous because sensitive calendar data may be ingested and retained unexpectedly, increasing privacy exposure and violating user expectations about what the tool processes and stores.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The morning brief automatically syncs all connected calendars, so a routine local command can trigger outbound network requests and process external data without an immediate warning. In a supposedly local-first personal assistant, that hidden side effect makes the behavior more dangerous because it is easy to invoke unintentionally and leaks metadata to remote calendar servers.

Ssd 3

Medium
Confidence
94% confidence
Finding
Silently retaining and reusing personal preferences and constraints creates covert persistence of user data. Even if stored locally, hidden memory can influence future outputs in ways the user cannot easily audit, increasing privacy risk and the chance of inappropriate use of sensitive context.

Ssd 3

Medium
Confidence
95% confidence
Finding
This section operationalizes silent storage of lasting preferences, constraints, insights, and personal context, which can include sensitive life details. Because the storage is proactive and not user-confirmed, the context makes the privacy risk more serious: the agent is directed to profile users over time without an explicit boundary.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.