Caveman Input Compression

Security checks across malware telemetry and agentic risk

Overview

This is a real file-compression utility, but it can send local workspace file contents to model providers and its safety boundaries are weaker than the description suggests.

Install only if you are comfortable with chosen files being sent to Claude, MiniMax/OpenAI-compatible endpoints, or DeepSeek using credentials already available in your environment. Use only explicit file paths you intend to compress, avoid files containing secrets, prefer dry-run/manual review, and verify backups before relying on rewritten workspace context files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill advertises operational behaviors that require sensitive capabilities including environment access, file read/write, and shell/subprocess execution, but it declares no permissions. This creates a transparency and governance gap: reviewers or runtime policy systems may underestimate what the skill can do, even though it can overwrite files and invoke external tooling.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The stated purpose is local file compression, but the documentation reveals that file contents may be sent to external model providers via Claude CLI, MiniMax, or DeepSeek using subprocess and curl. That mismatch is dangerous because users may provide sensitive workspace files under the assumption processing is local, when the skill can exfiltrate their contents to third parties.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The manifest and top-level description frame the skill as a local compressor, but the API fallback section explicitly documents external model/API use. This discrepancy can mislead users and security tooling about data exposure, especially for bootstrap or memory files that may contain secrets or sensitive operational context.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: A file compressor does not inherently require subprocess-driven curl calls to external AI services, so this design substantially expands the attack surface. It introduces risks around data leakage, command invocation abuse, and reliance on external endpoints for processing content that may be sensitive.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The skill is presented as a local workspace compressor, but it sends file contents to an external CLI and HTTP-compatible model endpoints. In a bootstrap or memory-file context, those files may contain secrets, system prompts, internal instructions, or sensitive project data, so this mismatch materially increases the risk of unintended data exfiltration.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code reads API credentials from environment variables and uses them to contact remote model services, which is a materially broader capability than a simple file compressor implies. While reading configured credentials is common, doing so without prominent disclosure or tight scope expands the attack surface and can surprise users into authorizing data transfer they did not expect.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrase 'compress memory file' is broad enough to match ordinary conversation, increasing the chance of accidental activation. In this skill's context, accidental invocation is more dangerous because the action can overwrite files and potentially send their contents to external services.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: File contents are transmitted to model endpoints without an explicit warning, consent step, or sensitivity check. Because the target files are workspace bootstrap and memory files, they are especially likely to contain credentials, internal instructions, or sensitive operational context, making silent transmission more dangerous in this skill than in a generic text utility.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal