Agent Context

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local agent-memory skill, but it needs review because it can persist and promote agent-written project instructions and includes optional GitHub publishing with limited safeguards.

Install only if you want persistent agent memory in your projects. Review every proposed change to .agents.local.md and AGENTS.md, avoid autopromote unless you have inspected the exact additions, and do not store secrets, credentials, customer data, or sensitive conversation details in the scratchpad. Run publish-template.sh only deliberately, after checking your active GitHub account and the exact files that would be uploaded.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (19)

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The script creates a remote GitHub repository, pushes local contents, and mutates repository settings even though the skill is marketed as 'local-only' with 'no infrastructure'. That mismatch is security-relevant because users may run it under the assumption that data remains local, increasing the chance of unintended publication of tracked files or project metadata.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The instruction to always read both AGENTS.md and .agents.local.md before any task creates a broad, implicit activation path for persistent local context without scoping when that behavior is appropriate. In practice, this can cause agents or subagents to ingest sensitive or irrelevant local instructions by default, increasing prompt-injection and data-exposure risk across unrelated tasks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to append session logs to .agents.local.md and even suggests prompting at session end to do so, but it does not require clear prior disclosure that a persistent local file will be modified. This can lead to silent retention of sensitive task details, credentials, paths, or user intent in a long-lived file the user did not realize would be changed.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The promotion workflow allows automatic appending of recurring patterns into AGENTS.md, a committed shared file, without requiring an explicit warning or approval for repository modifications. This creates a stronger risk than local logging because unreviewed or poisoned content from local notes can be persisted into version-controlled instructions that influence future agent behavior for all collaborators.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly states that the agent reads both files at session start and updates the local scratchpad at session end, but it does not clearly warn users that running this workflow causes persistent file modification. In an agent skill context, silent or implied writes are security-relevant because users may not realize prompts or task-derived content will be stored locally and later reused.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documented `agent-context promote --autopromote` behavior auto-appends recurring patterns into AGENTS.md, which is a committed/shared instruction file, without a prominent warning about automatic repository modification. That is risky because natural-language content derived from prior sessions can become durable project instructions and influence future agent behavior across teammates and tools.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The activation condition is broad enough that ordinary user questions about project setup could trigger the skill and cause it to steer the session into reading or modifying repository context files. In a coding-agent setting, overly broad activation increases the chance of unintended execution paths and surprise file operations, especially because the skill later recommends initialization and repository changes.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill tells the agent to run an initialization script that creates files, updates ignore rules, and wires agent configuration without requiring a clear user-facing confirmation or describing the side effects first. In an agent environment, that can lead to non-transparent modifications of the working tree and tool configuration based on a loosely matched setup request.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: Automatically adding .agents.local.md to .gitignore changes repository metadata and can affect team workflows or hide future file changes from version control awareness. While low severity on its own, doing so without explicit notice or approval is still an unauthorized repository modification.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script runs 'git add -A' and then pushes to a newly created GitHub repository, but it only checks for a narrow set of sensitive filenames and does not clearly warn that all tracked content will be uploaded. This can lead to accidental disclosure of source files, internal notes, tokens in nonstandard filenames, or other private material committed from the working tree.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The scratchpad model encourages agents to persist 'what it learns each session' in natural language, but the README does not define boundaries excluding secrets, credentials, personal data, or sensitive business context. In a memory system specifically designed for reuse across sessions, this materially increases the chance that sensitive inputs will be retained and resurfaced later.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The workflow says the agent logs session learnings to .agents.local.md and reads both files at the start of future sessions, creating a retention-and-replay channel for prior sensitive inputs. In this skill's context, that is more dangerous because the entire purpose is persistent cross-session memory, so any accidental sensitive capture becomes systematically reused.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The guidance to prompt the agent to 'log this session' or 'update the scratchpad' encourages broad capture of session content without sensitivity checks. Because many users will phrase this loosely, an agent may summarize secrets, internal URLs, credentials, incident details, or proprietary code context into a persistent file.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The skill explicitly establishes persistent cross-session memory in local markdown files and instructs agents to read and update them every session. Without data-minimization rules, this can cause retention of sensitive prompts, code details, credentials, tokens, internal URLs, or personal preferences that were only needed transiently, increasing the chance of later disclosure or misuse.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The session-end logging guidance tells the agent to append what changed, what worked, what didn't, decisions made, and patterns learned from every session, but it does not restrict sensitive content. In practice, this creates a durable memory sink for potentially confidential development details and user-provided information, which may later be surfaced to future sessions or other tools reading the file.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The template institutionalizes an always-on session log with one entry per session and accumulated learnings, creating long-lived memory by default. Even if the file is gitignored, local persistence still expands the attack surface through local compromise, accidental inclusion, prompt injection via poisoned notes, or agent overreliance on stale/sensitive retained context.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill establishes default persistent session logging into a local memory file, which can capture user-provided content, project details, decisions, and dead ends across sessions. Even though the storage is described as local-only and gitignored, it still creates a retention mechanism that may store sensitive data without explicit consent or minimization controls.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Prompting the agent to proactively offer scratchpad updates at session end encourages retention of conversation content even when the user did not ask for persistence. In practice, this increases the likelihood that sensitive or unnecessary context is stored by default, especially in long coding sessions containing internal architecture notes or operational details.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: 4. Only touch what the task requires. 5. Run tests after every change. Run lint before committing. 6. Summarize every file modified and what changed. 7. At session end, append to `.agents.local.md` Session Log: what changed, what worked, what didn't, decisions made, patterns learned. If the user ends the session without asking, prompt them to let you log it. Run `agent-context promote` to review candidates, or `agent-context promote --autopromote` to auto-append patterns recurring 3+ times. ## Deep References (Read Only When Needed)
Confidence: 85% confidence
Finding: without asking

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal