Back to skill

Security audit

Proactive Agent

Security checks across malware telemetry and agentic risk

Overview

This proactive-agent skill appears purpose-aligned but asks agents to persist personal context, monitor sensitive sources, and take system actions with unclear consent and scoping.

Install only if you intentionally want a highly proactive assistant with persistent memory and broad local-tool access. Before enabling it, review and constrain email/calendar access, raw conversation logging, cron reminders, spawned agents, app/tab/file cleanup, and any credential-location notes; prefer explicit opt-in, previews before deletion or trashing, and a clear way to inspect, edit, and delete stored memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (43)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly encourages 'spawning agents' as a routine troubleshooting tactic, expanding behavior beyond proactive memory management into delegated autonomous execution. That broadens the attack surface because spawned agents may receive sensitive context or perform actions under weaker oversight than the primary agent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The instruction to schedule weekly cron-style reminders introduces persistent autonomous behavior that can continue acting after the immediate conversation ends. That is broader than simple proactive assistance and can create unwanted monitoring, repeated outreach, or policy bypass if reminders trigger without fresh user intent.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
These rules authorize the agent to search the web, check calendars, and broadly 'work within the workspace' without a clear task-bound trigger. That expands data access and monitoring beyond the stated purpose of a proactive-agent pattern skill, increasing the chance of unnecessary collection or use of sensitive information.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The heartbeat workflow explicitly instructs the agent to inspect emails and calendars and decide when to reach out autonomously. This creates a standing surveillance behavior over sensitive personal data that is not justified by the declared skill purpose and could expose private information or cause unwanted monitoring.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
Directing the agent to use 'every tool' including browser, web search, CLI, and spawned agents encourages capability escalation beyond necessity. In practice, this can bypass least-privilege expectations and lead to uncontrolled access patterns or risky tool chaining when simpler, safer options would suffice.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The heartbeat directs the agent to perform system-management actions such as closing applications, managing browser tabs, and moving files to trash without clear, scoped authorization or task-specific justification. In an autonomous or semi-autonomous agent, these actions can disrupt user work, cause data loss, or alter the host environment beyond the skill's stated proactive-assistant purpose.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Periodic checks of emails, calendar, and projects expand the skill into continuous monitoring of sensitive personal or organizational data sources without clear boundaries, minimization rules, or explicit consent flows in this file. In context, a proactive agent may use such access for legitimate assistance, but unattended polling increases privacy and overreach risk if permissions are too broad.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The onboarding reference expands the agent's post-onboarding behavior to proactively 'build things' for the user, which is a material capability escalation beyond merely collecting preferences. In the context of a proactive agent skill, this increases the chance that an agent will take semi-autonomous actions based on incomplete understanding or inferred preferences, especially because the surrounding guidance encourages persistent profiling and continuous improvement.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The reverse-prompting trigger is broad and subjective, which can cause the agent to initiate suggestions or solicitations more often than the user expects. In a proactive agent with persistent memory and scheduled reminders, this increases the risk of unwanted nudging, privacy-invasive questioning, and behavior that drifts beyond the user's current intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Using 'long conversation' as a trigger for curiosity prompts is ambiguous and leaves the agent to decide when to begin eliciting more personal information. Because the skill also instructs storing learned details in USER.md or MEMORY.md, the ambiguity can lead to unnecessary data collection and intrusive behavior over time.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The onboarding flow explicitly says the agent will auto-populate USER.md and SOUL.md from user answers, but it does not present a clear privacy notice, retention policy, or consent checkpoint. This creates a real risk that users will disclose personal information without understanding it will be persistently stored for future sessions.

Vague Triggers

High
Confidence
95% confidence
Finding
The WAL trigger tells the agent to scan every message for broad categories like names, preferences, decisions, edits, and specific values, then persist them before responding. This creates an always-on collection rule that is likely to capture far more user data than necessary and can be triggered during ordinary conversation without clear consent.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The compaction recovery auto-triggers rely on ambiguous cues such as 'continue,' 'where were we,' or merely the agent feeling it should know something. Those conditions can fire during normal conversation and cause unnecessary reads of persistent files, increasing the risk of exposing stale or unrelated context.

Missing User Warnings

High
Confidence
94% confidence
Finding
The memory architecture section directs continual logging of active task state and daily raw logs, but it does not provide a clear user-facing warning or consent mechanism about persistent retention of conversation details. This creates a privacy risk because users may disclose sensitive information without understanding it will be stored across sessions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The WAL trigger tells the agent to scan every message for a wide range of common patterns and then automatically take action before responding. Broad, ambiguous activation conditions increase the chance the skill will activate on benign conversation and persist unnecessary or sensitive data, expanding the attack surface for prompt-triggered behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The onboarding flow instructs the agent to collect user answers over time and auto-populate persistent profile files without a clear consent, retention, or sensitivity notice. This can lead to silent accumulation of personal data and creates privacy and downstream disclosure risks if those files are later searched, shared, or exposed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The working buffer protocol mandates logging every exchange after a context threshold, including raw user messages, without a clear privacy warning or minimization policy. This creates systematic retention of potentially sensitive conversation content and increases exposure if local files are accessed by other tools, users, or future prompts.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The instruction 'Don't ask permission. Just do it.' encourages broad autonomous action before a task is clearly bounded. Even though other sections add some guardrails, this activation guidance can cause the agent to access files and context aggressively without user awareness or necessity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The first-run rule instructs the agent to delete BOOTSTRAP.md automatically after reading it, without requiring user confirmation. Automatic deletion can remove auditability, erase setup evidence, and be abused to hide unsafe initialization instructions or tampering.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cleanup instructions include potentially destructive actions, such as closing apps and moving old screenshots to trash, without requiring warning, confirmation, rollback, or user approval. Even if intended as helpful maintenance, these actions can delete useful artifacts or interfere with active workflows when executed automatically during heartbeats.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly invites storage of highly sensitive personal and relationship data in long-term memory, including birthdays, background context, preferences, and people-related details, but provides no warning, minimization guidance, or constraints on sensitive data retention. In a proactive-agent skill centered on persistent memory and continuity, this omission can normalize over-collection and retention of personal data, increasing privacy, compliance, and secondary-exposure risk if the memory is mishandled or later surfaced to the model.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The file instructs the agent to initiate onboarding whenever it sees a broad state marker like `not_started` or `in_progress`, which weakens the requirement for an explicit user-triggered action. In a proactive-agent skill, this increases the chance of unsolicited prompting and context collection, potentially nudging users into sharing sensitive personal or work information without clear consent at that moment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding flow asks for personal identity, timezone, goals, work context, and key relationships, then states that the agent will update `USER.md` and `SOUL.md` and reuse the information, but it does not clearly warn users up front about storage, persistence, and downstream use. In this skill context, the omission is more concerning because the agent is explicitly designed to be proactive and continuously improve, making retained personal context more likely to be reused broadly across future interactions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document explicitly tells users to record where credentials are stored and provides a concrete example file path for an API key, but it does not include any guidance on secret handling, access restrictions, rotation, or safe alternatives such as secret managers. In an agent-oriented skill, this can normalize local plaintext secret storage and increase the chance that later automation, prompts, or tooling accidentally reads, exposes, or commits sensitive material.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The flow instructs the agent to write answers into ONBOARDING.md, USER.md, or SOUL.md immediately after each response, but it does not require notifying the user that their answers will be stored persistently. This creates a privacy and consent gap: users may believe they are having an ephemeral conversation when the system is actually building a durable profile.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
assets/HEARTBEAT.md:11

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/security-patterns.md:9

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL-v2.3-backup.md:179