Security audit

Context Compression Claude Code Custom

Security checks across malware telemetry and agentic risk

Overview

This context-compression skill is not malicious, but it needs review because it can automatically summarize conversations and persist user details, including account/config information, without strong consent or redaction rules.

Install only if you want the agent to create or update persistent memory from conversation history. Do not let it store passwords, API keys, session tokens, private account details, or sensitive personal data. Review the memory file after compression, and enable the automatic hook only if you are comfortable with future compaction events prompting memory updates.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (7)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill advertises broad trigger phrases like 'summarize' and 'clean up' plus automatic activation when context is 'getting long,' without defining clear boundaries or requiring confirmation. In practice, this can cause unintended invocation during ordinary conversation, leading to silent compression, loss of salient context, or unexpected memory writes.

Vague Triggers

Low

Confidence: 80% confidence
Finding: The auto-trigger section says compression may run automatically via PreCompact hooks but does not specify when, under what thresholds, or with what safeguards. That ambiguity increases the chance of unexpected execution and makes it hard for users or operators to predict when context will be rewritten or persisted.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The top-level description emphasizes preserving important information but does not clearly warn that the process may discard conversation content and write retained data into a memory file. This undermines informed consent and can surprise users with persistence or deletion of data they did not expect to be transformed or stored.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manual trigger phrases are generic enough to collide with ordinary user requests about summarizing or cleaning up a conversation, which can cause the skill to activate unexpectedly. In this skill's context, unexpected activation is more sensitive because compaction is paired with memory-writing behavior, so a normal request could indirectly trigger persistence of user data or loss of conversational detail.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The PostCompact prompt instructs the agent to write user preferences, incomplete tasks, and important decisions to a memory file but does not warn that this is persistence of potentially sensitive personal data. That omission undermines informed use and increases the risk of silently storing private information beyond the immediate session.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The OpenClaw example similarly directs post-compaction writing of user preferences, tasks, and decisions to a memory file without disclosing that user data will be retained. In the context of an automatic compression hook, this makes the behavior more dangerous because it can happen routinely and without an obvious per-use reminder to the operator or user.

Ssd 3

High

Confidence: 98% confidence
Finding: The guidance explicitly treats 'key credentials or config' as must-preserve data and instructs writing high-persistence information to a memory file. Storing credentials, account details, paths, or special settings in durable memory materially increases the blast radius of prompt injection, later disclosure, cross-session leakage, and accidental exposure across channels or users.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal