Session Archive

Security checks across malware telemetry and agentic risk

Overview

This is a local session-archive plugin that does what it says, but it will automatically save full conversation content and metadata to a SQLite database.

Install only if you intentionally want full prompts, outputs, tool-related metadata, operation records, and token usage saved locally. Protect the SQLite database path, avoid using it for highly sensitive conversations unless local retention is acceptable, and plan your own deletion, retention, and encryption controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The plugin explicitly attempts to register its archive engine as the global "default" context engine, which broadens activation far beyond an opt-in archival feature. In this skill's context, that means conversation capture may occur across general interactions by default, increasing covert data collection and violating least-privilege expectations.

Intent-Code Divergence

Low

Confidence: 87% confidence
Finding: The comments frame registration as harmless if it fails, but the code still actively attempts to become the default engine and silently suppresses any resulting error. This mismatch obscures the plugin's true behavior, making review, monitoring, and incident response harder when a data-collecting component expands its reach.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The plugin registers not only under its explicit name but also under the generic "default" context engine, which can cause it to be invoked in situations where users or operators did not intentionally select the archival behavior. Because this plugin archives every conversation message, default registration materially expands its activation surface and can lead to silent collection of sensitive data across sessions.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The comments downplay the effect of registering as "default," but the code still attempts to hook the generic default engine path, which can mislead reviewers and operators about the plugin's real behavior. This mismatch increases the risk of undisclosed or misunderstood activation of a component that stores all conversation content, reducing informed consent and weakening auditability.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly advertises automatic archival of complete conversation content, including metadata and tool-related fields, to a local SQLite database, but it does not clearly document consent expectations, default collection scope, retention limits, or guidance for handling sensitive data beyond a brief storage warning later in the file. In an agent environment, conversations may contain credentials, personal data, proprietary code, or command outputs, so silent-by-default persistence increases privacy and data exposure risk if users are unaware of the behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that it automatically archives conversation messages to a local SQLite database, but it does not provide any user-facing warning about persistence, retention, or privacy implications. Silent storage of potentially sensitive chat content can expose secrets, personal data, and regulated information to anyone with local access or to other tools that read the database.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The code persists potentially sensitive session messages, operation history, and token usage to a local SQLite database under the user's home directory, but there is no evidence here of consent, minimization, retention limits, access controls, or encryption. If the host is shared, compromised, or backed up to less-trusted locations, this can expose conversation contents, file paths, commands, account identifiers, and other sensitive metadata.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The engine persists full session message content and extensive metadata, including account identifiers, message IDs, tool names, media paths, and token data, without any visible consent, minimization, masking, or retention controls in this code path. In an agent skill context, this can silently archive sensitive prompts, outputs, and attachment references, increasing privacy and data-exposure risk if the datastore is misused or later compromised.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The plugin is designed to archive every conversation message to a local SQLite database, yet this file shows no user-facing notice, consent flow, or scope limitation. Because conversations can contain secrets, credentials, and personal data, indiscriminate retention creates significant privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This code persistently stores full message content plus rich metadata such as account IDs, message IDs, media paths, and parent session linkage in a local SQLite database under the user's home directory. Even though there is no obvious exfiltration or SQL injection here, this creates a privacy and data-retention risk because sensitive conversation content and identifiers are written to disk without any consent, minimization, encryption, or retention controls visible in this file.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The operations table records sensitive activity history including commands, file targets, configuration changes, and login/logout events in persistent local storage. In an agent context, such records can expose system structure, secrets embedded in commands or paths, and high-value operational history to anyone who can access the database, making this more dangerous than ordinary logging.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This engine persists full session message content plus associated metadata such as session identifiers, roles, model, tool names, and media paths to a database, but this file shows no consent, minimization, retention, or access-control safeguards around that archival behavior. In an agent context, messages may contain secrets, personal data, or proprietary prompts, so silent persistence increases privacy and data-exposure risk if the archive is accessed, leaked, or over-retained.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The code stores token usage, model identifiers, timestamps, and related session linkage for assistant messages without any visible notice or policy controls in this file. While less sensitive than full message bodies, usage telemetry can still reveal behavioral patterns, model usage, cost data, and correlations to specific sessions or users, creating a privacy and observability risk if collected unexpectedly or retained too broadly.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The plugin description states that every conversation message is archived to a local SQLite database in real time, but this file contains no user-facing disclosure, consent, retention control, or indication of data minimization. In an agent/plugin context, conversations commonly contain secrets, credentials, personal data, or proprietary information, so silent persistent logging creates a meaningful privacy and data-exposure risk.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The code and comments indicate the plugin intentionally tries to register under the generic "default" context so it may activate broadly, not only when the user chooses the named archive engine. In the context of a plugin whose purpose is to archive all messages, this increases the likelihood of automatic surveillance-like behavior without clear opt-in, making the privacy impact significantly more dangerous.

Ssd 3

High

Confidence: 98% confidence
Finding: The plugin's stated purpose is to record every conversation message, creating deliberate retention of potentially sensitive user content beyond the immediate interaction. In an agent skill, this is especially dangerous because users may disclose credentials, internal data, or personal information assuming transient processing rather than durable logging.

Ssd 3

High

Confidence: 96% confidence
Finding: Registering the archive engine as the default context engine makes broad collection of conversation data much more likely, because it can trigger outside a dedicated archive workflow. This amplifies the surveillance and retention risk by making the behavior pervasive rather than explicitly invoked.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal