Back to skill

Security audit

Context Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill fits its context-management purpose, but it stores and logs pieces of conversation content by default, so it should be reviewed before use with sensitive chats.

Install only if you are comfortable with local retention of conversation content. For sensitive work, disable archive and chat logging or set a protected archive path with clear retention/deletion rules, and double-check any uninstall cleanup paths before running deletion commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The archive store path logs raw conversation content to stdout, including a preview of the archived text. In an agent skill, stdout is often captured by host logs, CI systems, containers, or observability platforms, so this expands access to sensitive chat data beyond the optimization feature's stated purpose.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The installation guide enables an on-disk archive feature for conversation context but does not clearly warn users that potentially sensitive chat history may be persisted to local storage. In an agent skill focused on context retention and archive retrieval, this omission is security-relevant because users may unknowingly store private prompts, secrets, or regulated data and later delete or mishandle it without understanding the exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The uninstall section instructs users to run irreversible `rm -rf` commands against the skill directory and archive path without a clear warning that this permanently deletes stored archive data. Because this skill archives conversation context, the deleted files may include valuable or sensitive records, and users may trigger unrecoverable loss without realizing what is being removed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill enables automatic compaction and archive persistence without a prominent warning that conversation content may be modified, summarized, filtered, and stored on disk. In a conversational agent context, that can create confidentiality, integrity, and retention risks because users and operators may assume ephemeral handling while sensitive data is actually transformed and retained locally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The logger includes a user-derived query string in chat-visible log output by interpolating `query.substring(0, 30)` into the message. Even though it truncates the value, this still discloses potentially sensitive user content without notice, consent, or redaction, and the skill context makes this more concerning because the component is specifically designed to process and optimize large conversation histories that may contain private data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persists full archived message content to local disk as JSON without any explicit consent, warning, retention control, or protection mechanism. In this context optimizer, conversations may contain secrets, personal data, or proprietary prompts, so silent persistence materially increases confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The console logging emits conversation content without a user-facing warning or consent flow. Because logs are commonly centralized and retained longer than active context, sensitive data may be disclosed to operators, third-party log processors, or anyone with access to runtime logs.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "Clawdbot",
  "license": "MIT",
  "dependencies": {
    "tiktoken": "^1.0.15",
    "@xenova/transformers": "^2.17.2"
  },
  "devDependencies": {
Confidence
95% confidence
Finding
"tiktoken": "^1.0.15"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "tiktoken": "^1.0.15",
    "@xenova/transformers": "^2.17.2"
  },
  "devDependencies": {
    "@types/node": "^22.10.6"
Confidence
95% confidence
Finding
"@xenova/transformers": "^2.17.2"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.