Security audit

Zwjh Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is not overtly malicious, but it asks an agent to repeatedly analyze private conversation memory and persist derived lessons with incomplete controls around confirmation and retention.

Install only if you are comfortable with a skill reading local conversation-memory files and creating long-term summaries from them. Before using automation or MEMORY.md updates, require the agent to show the exact entries it will write, avoid storing secrets or sensitive personal details, and periodically review or delete retained memory and generated reports.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document promises user confirmation before modifying MEMORY.md, but the provided update_memory example writes directly to the file with no confirmation gate. In an agent setting, this can cause silent persistence of extracted user data or preferences, undermining user consent and making accidental long-term storage more likely.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrase '帮我配置' is highly generic and likely to appear in ordinary conversation, making accidental invocation plausible. In this skill, accidental activation is more dangerous because setup behavior includes environment checks and possible file creation, which can lead to unintended state changes without clear user intent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Multiple open-ended natural-language triggers create ambiguous activation boundaries, increasing the risk that ordinary user requests are interpreted as commands to read memory, analyze past conversations, or write reports. Because the skill handles persistent user-derived data, accidental invocation can expose or retain sensitive information unexpectedly.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The skill is explicitly designed to read conversation memory, infer user preferences and lessons, and persist them into long-term storage. This creates a data retention and profiling surface where sensitive personal, behavioral, or operational details may be stored longer than necessary and later surfaced in reports or future interactions.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The workflow formalizes continuous extraction from conversations into long-term memory, which compounds privacy risk over time and normalizes silent retention. In context, the danger is elevated because the process is framed as automated and recurring, reducing the chance that users notice what information is being accumulated.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The memory analysis module extracts user messages, topics, mood, and lessons from daily conversation logs, creating derived personal data beyond the original text. Mood and preference inference can be especially sensitive because it turns routine dialogue into persistent behavioral profiling.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Writing analysis results into MEMORY.md for long-term accumulation persists user-derived information in a durable form that may later be reused, exposed, or misinterpreted. The risk is increased because the content includes inferred preferences and error history, not just user-authored facts, which can amplify privacy harm and data quality issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.