Context Restore

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate context-restore purpose, but it includes optional background monitoring, cron setup guidance, broad local context reading, and execution of an external notification script path that users should review carefully.

Install only if you want this skill to read saved conversation context and local project status files. Avoid enabling --auto or cron monitoring unless you understand the exact paths being read and have reviewed any notify_context_change.py integration. Treat Telegram, email, or other notification examples as separate outbound integrations that need explicit consent and secret handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (47)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: '--file', context_file, '--auto' if auto_mode else '--confirm' ] subprocess.run(cmd, capture_output=True, timeout=10) return True except (subprocess.SubprocessError, OSError): pass
Confidence: 93% confidence
Finding: subprocess.run(cmd, capture_output=True, timeout=10)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: output_file = tempfile.mktemp(suffix=".txt") result = subprocess.run( [ sys.executable, "scripts/restore_context.py",
Confidence: 84% confidence
Finding: result = subprocess.run( [ sys.executable, "scripts/restore_context.py", "--file", temp_path,

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares only a context-restoration purpose, but the documentation clearly describes file reads, file writes, shell-like cron installation, and script execution capabilities without any explicit permission model or guardrails. Hidden or undeclared capabilities increase risk because users and orchestrators may invoke the skill assuming a narrow read-only scope when it can also persist files and affect host scheduling.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: This is a genuine scope-expansion issue: the skill claims to restore prior context, but the documented behavior extends into project-directory inspection, diffing, notifications, platform formatting, automatic monitoring, and cron/job installation. That mismatch is dangerous because it defeats user expectations and creates opportunities for unintended data access, persistence, and background execution under the cover of a benign-sounding skill.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: This file describes promotional publishing, release management, and external-platform posting workflows that are unrelated to the declared purpose of a context-restoration skill. Such scope drift is dangerous because it normalizes nonessential outbound actions and could be used to socially engineer operators into granting the skill broader authority, credentials, or publication access than it needs.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The documented steps to initialize git, add a remote, and push to GitHub introduce unjustified external publication capabilities for a skill that should only read and summarize context files. If an agent or operator follows these instructions in trust of the skill package, sensitive workspace contents or internal artifacts could be unintentionally published to a remote repository or external platforms.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The promotion package claims the skill can automatically save and restore conversation context, but the stated skill purpose is restore/read-only context recovery. This mismatch can mislead users and integrators into granting broader trust or permissions than the skill actually needs, creating unsafe deployment assumptions and possible privacy or capability overreach.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The quickstart documents installation of cron-based automatic monitoring and auto-recovery behavior, which materially extends the skill beyond passive context restoration into persistence and recurring execution. Even in documentation form, encouraging unattended periodic execution over user context data increases the risk of privacy leakage, unexpected background activity, and misuse if the underlying scripts are later modified or invoked in unsafe environments.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The documentation broadens a user-invoked restore tool into an automation and job-management system, including monitoring and external notification workflows. Such scope drift increases attack surface and persistence opportunities, especially because background automation can continue operating after the initial user interaction ends.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Cron installation is not necessary to fulfill the core purpose of restoring context on demand, so its inclusion creates unjustified persistence on the host system. Persistence mechanisms are security-sensitive because they can repeatedly access data, consume resources, and become a foothold for later misuse or accidental overcollection.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: External notification integration is beyond the justified scope of a context restore tool and creates an outbound data-flow channel. Even if intended for convenience, notifications can leak sensitive file paths, project names, timing, or context-derived content to external systems without strong minimization and consent controls.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The usage guide documents capabilities that substantially exceed the stated purpose of simple local context restoration, including diffing arbitrary files, Telegram workflows, and cron-related automation. Even though this is documentation rather than executable code, it signals scope creep and normalizes broader operational behaviors that can increase the attack surface and encourage unsafe deployment patterns.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The documentation includes cron installation and scheduling guidance for a skill whose stated purpose is restoring conversation context. Persistence and scheduled execution are materially more dangerous than one-shot local restoration because they can create unattended background behavior, alter user environment state, and be repurposed for repeated collection or execution.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Telegram integration is not justified by the narrow function of local context restoration and introduces an outbound communications channel. In this skill context, external messaging increases the risk of unintended disclosure of workflow metadata or restored context and broadens the trust boundary beyond the local system.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This section adds autonomous monitoring, file creation, and cron workflow generation to a skill whose stated purpose is restoring context. That scope expansion creates persistence and unattended execution capabilities, which materially increase risk because restored context may be processed or emitted repeatedly without active user involvement.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Executing an external notification script is not necessary for restoring context and introduces an unjustified execution primitive. In the skill context, this is more dangerous because it can trigger automatically after detecting context changes, meaning a benign-seeming restore action can lead to running extra code outside the reviewed file.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The code can generate executable shell scripts, chmod them, and prepare cron automation, which gives the skill persistence-oriented behavior unrelated to simple context restoration. In this skill context that mismatch is significant, because users may grant trust for reading context files but not for installing recurring jobs or executable artifacts.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The module imports and uses external project-progress sources, so the summary output is no longer derived solely from the supplied compressed context file. That broadens data access beyond the declared purpose and may leak unrelated project state or filesystem-derived information when a user only intended to restore a conversation snapshot.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The tests demonstrate support for cron-job installation and notification integration, which expands the skill from passive context restoration into persistence and system-level automation. In an agent skill, scheduled execution and notifications increase the attack surface because they can enable repeated autonomous actions, unexpected background behavior, or covert signaling beyond the user’s immediate request.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Installing cron jobs is a persistence mechanism and is not justified by a skill whose stated purpose is restoring conversation context. Even if intended for convenience, this capability can be abused to execute the skill repeatedly without clear user awareness, turning a simple utility into a background task with ongoing system access.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The example trigger phrase "继续之前的工作" is broad natural language that can easily occur in ordinary conversation, so a host system may invoke this skill when the user did not explicitly intend to restore prior context. In a skill that reads saved context and surfaces project/task history, accidental invocation can expose sensitive prior-session information or cause unexpected context mixing.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The description advertises reading compressed context files, timeline review, monitoring, and change detection, but does not present any user-facing warning about privacy, data sensitivity, retention, or where the context is sourced from. Because context files may contain prior prompts, project details, credentials, or personal data, users may enable the feature without understanding that historical conversation content is being read and surfaced.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The article presents broad natural-language triggers such as "continue previous work" and "what was I doing?" that can easily appear in ordinary conversation. If the platform binds these phrases directly to skill activation, the skill may restore sensitive prior context unexpectedly, exposing project details or conversation history without a deliberate user action.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The text says the skill "automatically reads compressed context files and restores your work state in seconds" without defining when that automation occurs or what user consent is required. Ambiguous automatic behavior is risky for a context-restoration skill because it may cause unintended access to prior session data in situations where the user only asked a general question.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The description emphasizes convenience but does not warn users that restoring context may reveal prior conversation content, tasks, project names, and operational history. In this skill's context, the omission is significant because the core function is retrieving potentially sensitive historical data, so users may not appreciate the privacy and confidentiality implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal