Security audit

Knowledge Connector

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local knowledge tool, but its HTML graph output silently loads third-party code while displaying note-derived data.

Review before installing if you plan to import private, client, medical, legal, or enterprise notes. Use a dedicated KC_DATA_DIR, avoid opening generated HTML visualizations while online unless you accept the unpkg.com dependency, and use the clear/export controls deliberately because imported paths and excerpts are retained locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill initializes a persistent local datastore and later uses it to retain imported concepts, relations, source paths, hashes, and excerpts across runs. That behavior materially expands data retention beyond transient processing and creates privacy risk for sensitive notes or documents, especially because users may reasonably expect a connector to analyze inputs without silently storing them long-term.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The HTML visualization loads a third-party script from unpkg.com at runtime, which introduces external network access and a supply-chain dependency into a tool whose stated privacy boundary says sensitive notes should not be uploaded externally unless the user explicitly chooses an external tool. Even if document contents are not directly sent, loading remote JavaScript can leak metadata and enables code execution controlled by an external origin in the same page that renders user-derived data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code creates writable local storage files automatically during initialization without any user-facing notice, which obscures the fact that user-provided knowledge data will be retained on disk. In the context of notes and document ingestion, silent persistence increases the chance that sensitive personal or enterprise information remains stored longer than the user intended.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: During document import, the skill reads full file contents and persists source metadata including file paths, excerpts, hashes, and derived concepts, yet there is no evidence of warning, consent, or redaction. For a knowledge tool operating on potentially sensitive local notes, that undisclosed retention can expose confidential information to other local users, backups, logs, or later unintended reuse.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal