daily-progress-tracker

Security checks across malware telemetry and agentic risk

Overview

This skill formats daily work reports and saves them locally in a documented reports folder, with no evidence of network access, credential use, or hidden behavior.

Before installing, understand that the skill can save your daily report to ~/reports/YYYY-MM-DD.md or to REPORTS_DIR, and today’s file may be overwritten. Review report contents before saving and use a private reports folder if the summaries include confidential project, meeting, or blocker details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill workflow explicitly includes a file-save step, but the user-facing description does not clearly state that the user's work summary will be persisted to local storage or require confirmation before writing. Daily reports can contain sensitive business information, project names, blockers, and meeting details, so silent persistence creates a privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documented command writes arbitrary report content to a local file under ~/reports or REPORTS_DIR, but the skill does not present this persistence behavior as an explicit consented action. Because work summaries often include confidential internal information, automatic local storage can expose sensitive data to other local users, backups, sync tools, or later unintended disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal