High Agency

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it broadly changes the agent’s behavior for every task and uses persistent memory files without enough user control.

Install only if you intentionally want an always-on, aggressive productivity workflow. Before using it in private repositories or sensitive work, disable or limit automatic memory reads and writes, require approval before creating builder-journal.md or HANDOFF.md, and avoid letting it run broad file inspections or commands outside the current task scope.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to read a persistent `builder-journal.md` from a memory directory at the start of every session, regardless of the current task. That creates cross-session data reuse outside the stated motivational purpose, increasing privacy risk and enabling hidden prompt persistence or instruction carryover from prior tasks.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill requires creating and updating `builder-journal.md` and later `HANDOFF.md`, giving it persistent state management and workspace modification behavior beyond a coaching layer. This can silently write session-derived content into the user's workspace, creating privacy, integrity, and prompt-persistence risks.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill mandates broad tool use such as searching, file reading, and command execution before asking the user questions, and applies this expectation to nearly all tasks. That expands the agent's operational scope beyond coaching into autonomous investigation, increasing the chance of unnecessary data access or risky actions without clear task-specific consent.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is presented as a high-agency motivational layer, but its end-of-session protocol instructs persistent archival to memory files and handoff files, effectively turning it into a workflow orchestration and memory system. This mismatch is dangerous because users and integrators may enable it expecting tone or coaching changes, not persistent stateful behavior that modifies data and carries context forward.

Vague Triggers

High

Confidence: 98% confidence
Finding: The manifest says to use the skill for ALL tasks and trigger it on virtually any task start or sustained work, making activation effectively universal. In combination with the skill's persistence and tool-use directives, this broad trigger surface greatly increases the likelihood that unsafe behaviors occur in unrelated contexts.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill tells the agent to write persistent journal content without warning the user that workspace files will be modified. Silent writes can surprise users, pollute repositories, leak task context into durable files, and create an audit/integrity problem when those files are later reused.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill directs the agent to read from a user memory directory at session start without any privacy disclosure or consent. This can expose prior session data unrelated to the current request and allows old content to influence current behavior without the user's awareness.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The instruction to read prior session content from a memory directory for all tasks establishes persistent cross-session memory reuse. This is dangerous because it can carry forward sensitive information, stale assumptions, or adversarial content into unrelated future tasks, effectively creating unvetted long-term prompt injection.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The skill requires writing lessons and session-derived content into a persistent journal after every task. Persisting this material by default can store sensitive task details, operational context, or user data in durable files that later influence behavior or get exposed accidentally.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The metacognitive logging section formalizes cross-conversation storage of conclusions in an auto-memory directory, encouraging durable retention of session-derived judgments. This increases privacy risk and creates a mechanism for unreviewed behavioral steering across future sessions, which is especially risky given the skill's always-on framing.

Ssd 3

Medium

Confidence: 99% confidence
Finding: The session-end protocol directs the agent to archive lessons and current task state into persistent memory and handoff files before responding. This creates automatic durable storage of session context and intermediate state, increasing the chance of data leakage, unintended workspace modification, and hidden carryover into later tasks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal