Bird Watching Mode

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it keeps a local bird-watching log, can identify bird photos through a disclosed helper tool, and can export the log to CSV on request.

Install only if you want a persistent local birding log in your project workspace. Review bird.json and any CSV exports before sharing them, especially if notes, timestamps, location context, or local photo paths are sensitive. Use only a trusted superpicky-cli installation for region lookup and photo identification.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The invocation guidance includes broad triggers like enabling bird-watching mode, logging birds, exporting CSV, or recording species from photos, which can match ordinary requests without clearly signaling that shell commands and persistent writes will occur. Ambiguous activation increases the risk that the skill runs in contexts where the user did not intend file creation, photo processing, or external CLI use.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to send exported CSV files by attachment or email but provides no privacy warning or confirmation step. Because the CSV may contain timestamped observations, location-derived metadata, notes, and image references, this can cause unintended disclosure of potentially sensitive user activity or personal data.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal