Back to skill

Security audit

Token Reduction Engine

Security checks across malware telemetry and agentic risk

Overview

This looks like a local LLM answer cache, but it needs review because it stores answers persistently and advertises several safety/configuration controls that the included code does not implement.

Install only if you want a persistent local answer cache and are comfortable with LLM answers being written to disk. Do not rely on this skill as a complete command blocker, intent gate, tamper-proof cache, facts database, or fully configurable gateway unless those controls are separately verified. Avoid caching secrets, personal data, regulated data, or proprietary responses unless you isolate and manage the cache yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises itself as standalone and local, but the content indicates capabilities consistent with file read/write, shell installation commands, and network access without any declared permissions or explicit trust boundary. Undeclared capabilities are dangerous because users and orchestration systems cannot accurately assess what the skill may access or modify, increasing the chance of unauthorized data persistence, command execution, or outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior does not cleanly match the described purpose: it reportedly persists cached data to disk, may POST cached answers to a Brain API, and performs response filtering rather than the claimed deterministic query validation. This mismatch is security-relevant because users may supply sensitive prompts or rely on claimed safeguards without realizing data is being retained or transmitted in ways not clearly disclosed.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation materially differs from the advertised skill purpose: it is a hallucination detector with hardcoded fact checks, not a token-reduction or caching engine. This kind of capability mismatch is dangerous because users may deploy it under false assumptions, causing security, privacy, or operational controls to be misapplied and reducing trust in what the skill actually does.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The API reference documents integration that sends query/answer pairs to an external Facts DB, which expands the skill from local token reduction/caching into data export. That scope expansion is security-relevant because users may provide sensitive prompts or responses, and the documentation gives no clear consent, trust boundary, or data handling constraints.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Documenting external Brain API storage without justification for the token-reduction use case indicates unnecessary data collection and transfer. Unnecessary outbound storage increases attack surface and can lead to retention of sensitive prompts, responses, or proprietary business information in another system.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file presents itself as a token reduction/query validation component, but it actually stores and serves LLM answers, including persistence to disk. This mismatch is dangerous because operators may grant the skill access under false assumptions, allowing hidden retention of user content and changing the trust boundary of the system.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The legacy API `reduce_tokens` claims to reduce query size, but on cache hit it returns a cached answer in the `reduced_query` field. This can cause downstream components to unknowingly treat model output as sanitized user input, enabling data confusion, privacy leakage across sessions, and unsafe routing decisions.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation explicitly says persistence is only a user-facing cache and not a permanent knowledge store, yet the module also contains functionality to write answers into a Brain API knowledge base. Even if not invoked in this file path, this discrepancy conceals a broader data-retention capability that can mislead reviewers and users about where their data may end up.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The module includes a function that transmits user-derived query and answer content to a separate knowledge base service, which exceeds the expected scope of a token-reduction tool. In this skill context, hidden knowledge-base writes are especially risky because users and integrators would not expect their prompts and model outputs to be repurposed for long-term storage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that cache is persisted across restarts, but it does not clearly warn that cached queries and answers may include sensitive user data and will be written to disk. In a token-reduction/cache skill, this context makes the issue more dangerous because the very feature encourages broad capture and reuse of user prompts, which may contain secrets, personal data, or proprietary information.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script writes a detailed JSON report containing query and response data to a local file without explicit disclosure or controls. If the inputs contain sensitive prompts, user data, or proprietary content, this can create unintended data persistence and leakage through logs, shared working directories, backups, or later collection by other processes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states that caching may auto-call a Brain API endpoint and POST query/answer data, but provides no privacy, confidentiality, or user-impact warning. In this skill context, prompts and model answers can easily contain secrets, internal policies, or personal data, so silent network transmission materially increases risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly recommends a persistent cache file and auto-persistence behavior, but does not warn that prompts, queries, or model outputs may be stored on disk and survive restarts. In an agent context, cached content can include sensitive business data, user inputs, or generated responses, creating an avoidable confidentiality and retention risk if the host is shared, backed up, or compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The integration examples cache both queries and answers in normal control flow without any notice that these values may contain sensitive user content, internal facts, or model-generated data that should not be retained. Because this skill is designed for cost reduction through aggressive caching and may integrate with a company knowledge system, the context increases the chance that confidential enterprise data will be stored and reused inappropriately.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code persists cached answers and query hashes to disk automatically without any user-facing notice, consent, or retention policy. Even with hashed queries, stored answers can contain sensitive content, and exact-query hashing is often reversible for predictable prompts through dictionary matching.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The HTTP request sends query-derived and answer-derived content to another API without any user-facing disclosure or consent. This creates an undisclosed data-sharing path, and even though the endpoint is localhost, it still crosses component boundaries and may feed a broader system knowledge base.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.