Agent Context System

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local agent-memory template, but its setup depends on a missing CLI and it includes workflows that can persistently change agent instructions or push an entire workspace to GitHub.

Install only if you are comfortable manually controlling the files it changes. Do not run the publish script unless you have checked git status and confirmed exactly what will be pushed. Treat .agents.local.md as persistent memory: keep secrets, customer data, credentials, and untrusted instructions out of it. Avoid --autopromote unless you review the proposed AGENTS.md changes like normal code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill is marketed as a local-only memory system with no infrastructure, but the document also instructs users to publish to GitHub, create repos, and push code remotely. That mismatch can mislead users about the real trust boundary and network/data exposure, especially if they assume installation and operation are strictly local.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The Security section asserts path-scoped behavior, no symlink traversal outside the project root, and no writes to '..' paths, but this file provides no implementation proving those guarantees. Security claims without enforceable controls create a false sense of safety and may cause users or agents to trust file operations more than warranted.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The document says scratchpad writes require user confirmation, but other sections describe automatic session-end updates and Claude auto-memory behavior that do not clearly preserve the same approval gate. This inconsistency can lead to unexpected persistence of sensitive session content or user assumptions that approval is always required when it may not be.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script performs real GitHub network operations, creates a remote repository, pushes local content, and mutates repository metadata, which directly contradicts the product description of being 'local-only' with 'no infrastructure'. That mismatch is security-relevant because users may run the tool under the assumption that it never exfiltrates data or reaches external services, while this script can publish repository contents to GitHub.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script initializes a git repo if needed, stages the entire working tree with 'git add -A', commits it, and then pushes it to GitHub. Even with a lightweight sensitive-file check, this creates a meaningful risk of accidental data disclosure because many sensitive files will not match the small denylist, and a memory-system skill does not inherently need blanket publishing capability over all local content.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The comments and user-facing messaging frame the action as merely creating a private template repository, but the script also commits current local files, pushes them, and changes remote metadata. This understatement can mislead users about the scope of side effects, increasing the chance they run it in a repository containing unintended content or assume privacy alone eliminates publication risk.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README explicitly states that the agent reads both files at session start and updates the local scratchpad at session end, but it does not prominently warn users that adopting this skill causes automated modification of repository-adjacent files. In an agent skill context, silent or implied file writes are security-relevant because users may grant broad workspace access and not realize the tool persists context across sessions.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill encourages persistent session logging in a local scratchpad but does not surface a clear privacy warning near the main description or setup flow. Users may unknowingly store secrets, credentials, customer data, or sensitive code context in a durable file that future agents will automatically read.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to run an initialization script that creates files, updates ignore rules, and modifies tool configuration without requiring an explicit user confirmation or warning about persistent repository changes. In an agent setting, this can lead to unintended file creation or repository state changes from a loosely scoped request, especially because the skill is designed to act early in a session.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal