Context Shrink

Security checks across malware telemetry and agentic risk

Overview

This memory-compression hook is not clearly malicious, but it asks for automatic authority to rewrite and delete memory files and run broad Git commits with inconsistent disclosure.

Review carefully before installing. This skill should only be used if you are comfortable with an automatic hook that may alter long-term memory, delete older memory logs, and create Git commits. Prefer a version that aligns its documentation, fixes or removes the incompatible event gating, disables destructive actions by default, stages only known memory files, avoids shell-interpolated Git commands, and requires explicit approval before deletion or committing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 76% confidence
Finding: The skill metadata declares no permissions, yet the documented behavior implies access to environment/code capabilities. This creates a trust gap: users and policy systems cannot accurately evaluate what the hook may access, increasing the chance of unauthorized data exposure or execution under broader privileges than expected.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented purpose says the skill compresses session memories, but the detected behavior includes deleting files, modifying workspace state, and running git commands. This mismatch is dangerous because users may install it expecting low-risk summarization while it actually performs destructive and externally consequential actions, including persisting sensitive changes into version control.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The documented hook does not match the advertised skill metadata: it changes the skill name, lowers the trigger from 85% to 60%, and adds destructive cleanup plus git push behavior. This kind of capability drift is dangerous because users may install a seemingly benign context-compression skill but actually get automatic data deletion and possible remote transmission of memory contents.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Automatic git commit and especially push are not necessary for local memory compression and can exfiltrate sensitive conversation history or derived summaries to a remote repository. Because this hook runs on routine events, it could transmit data silently and repeatedly without meaningful user awareness.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The documented sequence deletes early memory files before compression/integration, contradicting claims that content is backed up first. This creates a real risk of irreversible data loss, broken memory integrity, and inaccurate long-term summaries if compression fails or is incomplete.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The skill stages and commits all repository changes with `git add -A`, which can capture unrelated files, secrets, or user work far beyond memory-compression data. In the context of an auto-triggered context-management skill, repository-wide persistence is over-privileged and can silently modify source history in ways the user did not authorize.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: Importing `execSync` to run shell commands introduces an unnecessary command-execution capability for a skill whose stated purpose is shrinking context. Even though the current commands are hardcoded git operations, they interpolate `workspaceDir` into the shell string, creating risk of command injection or command execution against unintended directories if that value is attacker-controlled.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The hook describes silent automatic deletion, compression, and git push of memory data without a clear user-facing warning or consent flow. In the context of session memories, these actions affect potentially sensitive and user-generated data, making silent modification and transmission especially risky.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documentation does not clearly warn that it may delete local files, rewrite MEMORY.md, and auto-commit changes. In a hook that runs automatically on context thresholds, lack of upfront warning materially increases risk because users may not realize local data can be removed or versioned without explicit interaction.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill automatically overwrites `MEMORY.md` and deletes historical memory files without explicit user confirmation, backup, or dry-run review. In a session-management context this is dangerous because memory data may contain important user history, and compression is lossy, so the action can cause irreversible data loss or tampering with the agent's working memory.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill executes git staging and commit commands automatically and without user disclosure at the time of action. Even if intended for convenience, silently creating commits changes repository state and may persist sensitive or unrelated content, which is unsafe for an automatic maintenance hook.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal