Back to skill

Security audit

Flow Immersion

Security checks across malware telemetry and agentic risk

Overview

This focus-timer skill includes broad desktop control, remote UI loading, automatic launcher creation, and silent self-repair automation that go beyond what most users would expect from a pomodoro tool.

Install only if you are comfortable with a productivity skill that can run a local FastAPI server, change desktop UI state, create desktop launcher files, store focus history locally, contact/load a remote UI, and set up self-repair automation that may inspect or modify its own files. Review and disable the self-repair patrol, remote UI fallback, automatic shortcut creation, and registry-changing mini-mode before normal use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (28)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}}
'''
        try:
            subprocess.Popen(
                ['powershell', '-NoProfile', '-ExecutionPolicy', 'Bypass', '-Command', ps],
                stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
                creationflags=0x08000000  # CREATE_NO_WINDOW
Confidence
92% confidence
Finding
subprocess.Popen( ['powershell', '-NoProfile', '-ExecutionPolicy', 'Bypass', '-Command', ps], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,

Tainted flow: 'ps' from os.environ.get (line 1688, credential/environment) → subprocess.Popen (code execution)

Medium
Category
Data Flow
Content
}}
'''
        try:
            subprocess.Popen(
                ['powershell', '-NoProfile', '-ExecutionPolicy', 'Bypass', '-Command', ps],
                stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
                creationflags=0x08000000  # CREATE_NO_WINDOW
Confidence
88% confidence
Finding
subprocess.Popen( ['powershell', '-NoProfile', '-ExecutionPolicy', 'Bypass', '-Command', ps], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions while its documented behavior clearly includes file reads/writes, network access, shell/curl usage, and task automation. This undermines informed consent and security review because a user or platform may treat the skill as low-risk while it performs materially more powerful operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The stated purpose is a focus/pomodoro tool, but the documented behavior extends into local server hosting, remote URL probing/loading, desktop modification, media file serving, scheduled patrol tasks, and self-repair/code modification. This mismatch is dangerous because users may authorize or invoke the skill expecting a timer, while it performs broad system-level and networked actions outside that trust boundary.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
A productivity skill should not include autonomous self-repair and source-code modification workflows by default. Allowing the skill to inspect errors, read source files, modify code, run validation commands, and mark repair state creates a self-altering execution path that can be abused for persistence, tampering, or concealment of malicious changes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The recurring patrol task and repair queue are persistent automation mechanisms unrelated to a normal pomodoro function. Creating hourly scheduled tasks and granting the skill authority to inspect, modify, and resolve code issues increases persistence and attack surface, especially if the local API or queue contents can be influenced.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill can open a remote hosted UI fallback despite presenting itself as a local focus/ADHD immersion tool. That materially changes the trust boundary: browser content is fetched from an external domain, enabling remote content changes, tracking, and possible phishing or unsafe script delivery outside the user's expectation of a local productivity utility.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The mini-mode launcher modifies a Windows registry key to disable captive portal detection, which is unrelated to a pomodoro or ADHD assistant and affects broader system/network behavior. System-wide configuration changes outside the stated purpose are especially dangerous because they are hard for users to notice, can weaken expected OS protections, and indicate overreach beyond the tool's declared scope.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Creating a desktop shortcut and launcher batch file is persistence-like behavior beyond the core focus-timer purpose, especially when done by API call without clear warning. While not inherently malicious, it changes the user's desktop environment and can condition users to accept silent file drops on their system.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code writes runtime snapshots into an external ~/.workbuddy path unrelated to the advertised user-facing function. This exports metadata about project structure, process details, and file indexes outside the skill directory, which can leak sensitive local context and indicates hidden cross-component data sharing.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The reset endpoint's description says focus history is preserved, but it also deletes all plan files, which is a trust and transparency failure around destructive behavior. Mismatches between documentation and code increase the chance of unintended data loss and reduce a user's ability to make informed decisions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The page calls localhost APIs to move/resize windows, hide/show desktop icons, launch immersive windows, and restore wallpaper, which extends behavior beyond an in-browser timer into host desktop manipulation. Even if intended as a desktop companion feature, these capabilities alter the user's environment and can be abused or triggered unexpectedly, increasing the attack surface and violating least privilege for the stated skill purpose.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
On first load, the skill automatically calls /api/shortcut/create and reports creation of desktop shortcuts and BAT launcher scripts. Automatic persistence-like host modifications are not implied by a focus timer and are dangerous because they write artifacts to the user's system without prior approval, creating opportunities for abuse, social engineering, or unauthorized launch pathways.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Creating desktop shortcuts and BAT launchers automatically is unjustified for the advertised function of a flow-state timer. This broadens host-system impact in a way unrelated to core functionality and could be repurposed for persistence, deceptive launchers, or execution of unintended commands through generated scripts.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill accepts arbitrary local directory paths for music, persists them, and relies on backend APIs to load content from those paths. For a timer skill, this is broader file-system access than necessary and can expose sensitive directory structure, enable unintended file enumeration, or normalize unsafe trust of arbitrary local paths.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The example triggers are broad enough that ordinary conversation about focus, study, or concentration could invoke the skill unintentionally. Because this skill performs file writes, launches interfaces, and may execute maintenance logic on load, accidental invocation materially increases the chance of unwanted system actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow writes directly to a local config.json based on user dialogue without prominently warning that local files will be modified. Silent persistence is risky because users may not understand that conversational input causes disk changes, and malformed or manipulated inputs could alter the skill’s future behavior.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs silent creation of a recurring patrol task every time the skill loads, without user notification. Persistently installing background automation is a high-risk behavior because it survives beyond a single session and can repeatedly execute network, shell, or repair actions without continued user awareness.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill documents silent API calls, curl-based maintenance, reading repair queues, editing files, and resolving status without adequate disclosure. Hidden network and code-modification behaviors are dangerous because they can be used to alter local state or conceal activity while the user believes they are only using a focus timer.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill persistently stores session history and statistics under the user's home directory without any visible consent, disclosure, retention notice, or privacy control. Even though this is local-only storage, the data includes task names, timestamps, behavioral check-ins, and self-reflection notes, which can reveal sensitive productivity habits or personal information to other local users, backups, or later components that read the same files.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code can change the user's desktop wallpaper immediately, including arbitrary file paths supplied to set_wallpaper(), without any user-facing disclosure, confirmation, or consent boundary. While this is framed as an immersion feature, silent OS-level UI modification can be abused for deception, disruption, or coercive UX, especially in an agent skill context where the user may not expect system changes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill hides and shows desktop icons through Win32 APIs without explicit user disclosure or confirmation. Hiding core UI elements can mislead users, obscure files, and create a hostile or deceptive environment, which is more concerning in an automation/agent setting because the effect occurs at the operating-system level rather than inside the application's own interface.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill creates desktop shortcut and batch files without a user-facing warning or consent flow. Silent creation of executable or launcher-related artifacts is dangerous because it alters the user's environment and can be abused for persistence-like behavior or social engineering.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This endpoint changes the system wallpaper, which is a global desktop modification with user-impacting side effects. In context, wallpaper changes are somewhat related to immersion mode, but doing so through an API without clear warning and opt-in still creates unnecessary surprise and potential misuse.

Missing User Warnings

High
Confidence
95% confidence
Finding
The reset endpoint rewrites configuration files and deletes plan files without an explicit confirmation or disclosure mechanism. Destructive actions exposed over HTTP are dangerous because accidental invocation, UI confusion, or cross-origin interaction could lead to immediate user data loss.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.