Optimize Context

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can automatically write to memory, prune context, and even report optimization while using mock messages instead of the real session.

Review the configuration before installing. Disable scheduled cleanup and automatic memory updates unless you explicitly want them, avoid using it on conversations with secrets or sensitive personal/business data, and be aware that the provided command may process mock data rather than your real conversation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The command advertises and logs that it is performing context optimization, but it operates entirely on fabricated `mockMessages` rather than actual session history. This can mislead users or downstream automation into believing sensitive context was summarized, remembered, or cleaned up when no real optimization occurred, creating integrity and operational security risks.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly says it extracts key points and facts while clearing old context, but provides no warning about data loss, context alteration, or the risk of dropping safety-critical instructions and prior user constraints. In an agent setting, automatic context mutation can change behavior in ways the user does not expect, including loss of consent boundaries, security instructions, or important task details.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly describes automatic summarization, cleanup, and updates to MEMORY.md and summary files, but does not warn users that running the skill may autonomously modify persistent context or memory data. In an agent setting, silent modification of memory/context files can alter future model behavior, overwrite important information, or cause unintended data retention without informed user consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly says it will save summaries to memory files and then clear old context, but it provides no confirmation, rollback, preview, or warning about potential data loss and fidelity reduction. In an agent setting, automatic summarization can omit nuance, instructions, or safety-relevant details, and clearing source context can permanently remove information needed for correct or secure future behavior.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are generic enough to overlap with normal user language such as asking to 'clean context' or 'optimize context', which can cause unintended invocation of a skill that modifies conversation state. In this skill, accidental activation is more dangerous because the manifest also enables scheduled cleanup and describes summarization and clearing behavior, so invocation ambiguity can lead to unexpected data alteration or loss.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manifest advertises automatic cleanup of conversation history and includes auto-cleanup settings, but it does not present any explicit user warning, consent mechanism, or safeguard around deletion/modification of stored context. This is risky because users may not realize that summaries may replace or remove history, potentially causing silent data loss, loss of auditability, or corruption of long-term memory files.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script writes conversation summaries and extracted 'facts to remember' to persistent files in the workspace memory directory without any consent, minimization, or sensitivity filtering. Because the extracted content comes directly from user and assistant messages, this can retain secrets, personal data, or other sensitive context on disk beyond the active session, increasing disclosure risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Updating MEMORY.md with extracted facts creates long-term storage of user-derived information using broad regex-based extraction, with no warning, approval step, or classification of sensitive content. This is dangerous because MEMORY.md is likely intended for future reuse, so private details may persist indefinitely and be surfaced later to other tasks, tools, or users with workspace access.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The monitor can automatically optimize context and potentially clear or replace message history without any explicit user confirmation or visible warning. In a system handling user tasks and conversation state, this can silently remove important instructions, audit trail, or safety-relevant context, causing integrity and reliability issues even if there is no clear malicious behavior.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Automatic removal of old context and auto-purge can silently delete conversation history or working state, which may include safety-relevant instructions, user consent records, or task context needed for correct operation. In an agent skill, undisclosed cleanup increases the risk of integrity and accountability failures because the system may continue operating after losing important context without user awareness.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The fact-extraction logic broadly captures natural-language statements such as preferences, needs, schedules, and identity-related phrases, then treats them as durable memory. In a context-optimizer skill, this makes the issue more dangerous because the feature's purpose is retention and summarization, so the code systematically converts ordinary conversation into a persistent data store that can leak sensitive information.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The summary-writing path stores extracted facts verbatim into markdown files with generic 'remember' semantics, which can expose sensitive user data to anyone or any process that can read the workspace. Because the files are human-readable and designed for later reference, they create a straightforward retention and leakage channel rather than a transient processing artifact.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal