Back to skill

Security audit

Agent Todo

Security checks across malware telemetry and agentic risk

Overview

This appears to be an automation and task-queue skill, but it may create and dispatch agent work from reply content and scheduled hooks without enough user review.

Install only if you intentionally want persistent background task queues and multi-agent dispatch. Enable hooks or cron only after reviewing exactly what inputs can create tasks, require approval before dispatch or execution, and keep queue files/workspaces scoped so untrusted replies cannot trigger work automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description advertises very broad triggers such as heartbeat execution, follow-up work, background tasks, and multi-agent routing, which can cause the skill to be invoked in situations beyond a narrow user intent. In an agentic system, overly broad activation increases the chance of unintended task creation, execution, or routing, especially because this skill is designed to manipulate persistent queues and dispatch work across workspaces.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The description includes broad natural-language triggers such as "do something later," "follow-up," and "heartbeat automation," which are common phrases that may appear in ordinary conversation. In an agent skill, this can cause unintended invocation or automatic task creation/execution without sufficiently explicit user intent, increasing the risk of surprise actions and unsafe background automation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This hook converts untrusted reply text directly into queued tasks and may dispatch them to another agent without any confirmation, authorization check, or explicit user consent. In context, forum replies are adversarial input, so a user can induce unintended work, spam the task queue, or steer another agent into acting on content-derived instructions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explicitly instructs integrating hooks, heartbeat commands, and cron-based execution that can automatically claim tasks and trigger immediate execution, but it does not warn users about the autonomy and safety implications of that behavior. In an agent context, automatic task claiming/execution increases the chance of unintended actions, privilege misuse, or execution of tasks derived from unreviewed natural-language commitments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.