Back to skill

Security audit

Context Restore

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to restore saved context, but it also includes opt-in automation, cron persistence, and external notification hooks that need careful review.

Review this before installing if your saved context may contain private project details, secrets, or client data. Use the basic restore command only unless you explicitly want recurring monitoring; avoid --auto and cron setup until you understand the exact files it will read, where logs go, and whether any notification script exists in the expected cron path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (49)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'--file', context_file,
                '--auto' if auto_mode else '--confirm'
            ]
            subprocess.run(cmd, capture_output=True, timeout=10)
            return True
        except (subprocess.SubprocessError, OSError):
            pass
Confidence
93% confidence
Finding
subprocess.run(cmd, capture_output=True, timeout=10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            output_file = tempfile.mktemp(suffix=".txt")
            
            result = subprocess.run(
                [
                    sys.executable,
                    "scripts/restore_context.py",
Confidence
89% confidence
Finding
result = subprocess.run( [ sys.executable, "scripts/restore_context.py", "--file", temp_path,

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises operational capabilities including reading context files, writing outputs/cache files, and invoking shell/cron flows, yet the skill metadata declares no permissions. This creates a transparency and consent gap: users or orchestrators may treat it as read-only while it can persist data and trigger host-level actions, increasing the risk of unauthorized filesystem access or automation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is context restoration, but the skill also describes broader behaviors including scanning project directories, caching hashes, installing cron jobs, platform detection/reformatting, diffing arbitrary files, and invoking external notification scripts. This scope expansion materially changes the trust boundary and can expose more local data, create persistence, and execute external processes beyond what a user would reasonably expect.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
This report instructs the primary agent to perform actions unrelated to the declared context-restoration purpose, including GitHub setup, content publishing, analytics monitoring, and community engagement. In an agentic environment, such out-of-scope operational directives can cause unauthorized external actions, scope drift, and misuse of the skill as a marketing automation payload rather than a context utility.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file is dominated by marketing, repository publishing, and social-media rollout content instead of behavior supporting restoration of prior conversation context. This mismatch increases the risk that an agent consuming skill files as guidance will take unrelated external actions, making the skill a vehicle for instruction injection and unauthorized task expansion.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
A skill framed as restoring prior context should not silently grow into recurring monitoring and auto-restore behavior. Cron-based persistence changes it from an on-demand reader into a background task, which increases privacy risk and makes unintended repeated data access more likely.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Generating or installing cron jobs is not necessary for simple context restoration and introduces persistence on the host. Persistence can be abused to repeatedly access context files, consume resources, or act as a foothold for further automation without the user's continuing awareness.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
External notification hooks such as Telegram or email expand a local context-restoration skill into a potential data-exfiltration channel. Even if only change events are intended, file names, paths, summaries, or context metadata could be transmitted outside the local environment, violating user expectations and confidentiality.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The documented ability to generate and install cron jobs gives the skill persistence and autonomous execution capabilities that are not aligned with a simple context-restore purpose. In a context-restoration skill, undocumented or under-justified persistence features increase the risk of stealthy background monitoring, repeated access to sensitive context files, and user-surprising system modification.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Installing cron jobs is context-inappropriate for a skill whose stated purpose is restoring prior conversation context. Persistence mechanisms can cause ongoing background execution and repeated file access, which materially increases risk if the skill handles sensitive local context or project metadata.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The usage guide expands a context-restoration skill into cron-based installation and continuous monitoring, creating persistence and unattended execution beyond the stated core purpose. This broadens the operational and security footprint, especially because restored context may contain sensitive project or conversation data that could be logged or processed repeatedly without active user awareness.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation introduces Telegram integration, which materially changes the skill from local context restoration to external messaging/notification behavior. Even if the sample only sends a short message, adding a networked integration increases data exposure risk and user expectations should be reset explicitly because users may reasonably assume the skill is local-only from its metadata.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This skill is supposed to restore context, but it also monitors files for changes, caches state, sends notifications, and generates cron automation artifacts. That scope expansion increases attack surface and can enable unattended processing of sensitive context data outside the user's immediate request.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Executing an external notification script is not necessary for basic context restoration and creates a second execution path with its own trust assumptions. If that script is replaced, modified, or behaves unexpectedly, restoring context can become a trigger for arbitrary local actions and data disclosure.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code generates executable shell scripts and facilitates cron-based recurring execution, which is far beyond a one-shot context restore operation. This introduces persistence-like behavior and enables repeated unattended processing of conversation context, increasing privacy and operational risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Summary generation reads real-time project progress from external project directories instead of only the provided compressed context file. That broadens data access and can expose unrelated local workspace information when a user expects the tool to summarize just one file.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The help text and behavior imply user confirmation is required, but in non-interactive mode the script silently treats failure to prompt as confirmation and proceeds. This can cause automated or piped executions to restore and print sensitive context without actual approval.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example trigger uses broad natural language equivalent to everyday continuation requests, which can cause the skill to activate when a user is merely conversing rather than explicitly consenting to context restoration. Because this skill reads prior conversation summaries and related memory/context files, accidental activation can expose sensitive historical data into a new session or surface information the user did not intend to retrieve yet.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description presents reading compressed context files and MEMORY.md-style references as a convenience feature but does not warn that these files may contain sensitive project data, personal notes, credentials, or historical conversation content. In a context-restoration skill, omission of a privacy warning increases the chance that users invoke it without understanding the scope of data access and disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic monitoring, cron integration, and external notification support introduce persistent file watching and potential outbound data disclosure, yet the page gives no warning about privacy, resource usage, or what content may be transmitted. In this skill's context, monitoring context files and notifying external platforms can leak sensitive operational history or project data beyond the local environment if enabled casually.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The article markets natural-language activation for a stateful skill using broad phrases like resuming prior work, which can overlap with ordinary conversation. If the platform binds these phrases directly to invocation, the skill could be triggered unintentionally and expose prior context summaries without an explicit user action.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The example triggers include very common phrases such as "what was I doing?" and "continue previous work," which are likely to appear in normal chat. In a context-restoration skill, accidental invocation can reveal project names, tasks, and recent operations from stored context files to the current session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description emphasizes convenience but does not prominently warn that the skill reads prior compressed context files and may surface project/task history. Users may not realize that invoking it can expose sensitive historical data, increasing the risk of privacy and confidentiality issues in shared or mistaken contexts.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Using a common phrase like '继续之前的工作' as an activation trigger is risky because it can be invoked during normal conversation without deliberate intent. In a context-restoration skill, accidental activation may expose prior conversation summaries, tasks, project details, or other sensitive context to the current session or to a user who did not explicitly request retrieval through a scoped command.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.