Security audit

LiQun Context Manager

Security checks across malware telemetry and agentic risk

Overview

This is a small local search helper with an under-disclosed search of the local skills folder, but no evidence of network activity, persistence, credential access, destructive behavior, or exfiltration.

Install only if you are comfortable with this helper searching local Markdown and JSON files under both `memory` and `skills`. Keep secrets out of those folders, or narrow `SEARCH_DIRS` to `memory` before use if you only want conversation-memory lookup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill documentation shows code capabilities for reading files via memory-search functions, but it declares no permissions. Undeclared file-read capability weakens transparency and consent boundaries, and in a context-management skill this could let the agent access local memory or other files beyond what users expect. The skill’s stated purpose makes file access somewhat relevant, but the lack of explicit permissioning still makes the behavior dangerous.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The declared purpose is limited to managing conversation context and retrieving historical memory, but the analyzed behavior indicates recursive search and full-content reading of files in the skills directory. That scope expansion can expose unrelated skill contents, embedded secrets, prompts, or internal logic, creating unintended data exfiltration and cross-skill information leakage. In a context-manager skill, this mismatch is especially risky because broad retrieval may be normalized as 'memory access' and evade user scrutiny.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill’s stated purpose is managing conversation context and memory retrieval, but the implementation also searches the entire 'skills' directory. That expands its data access beyond the declared scope and can expose other skill code, embedded prompts, configuration data, or secrets that may be present in those files, violating least-privilege and enabling cross-skill information disclosure.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Reading files from the 'skills' directory is not justified by the skill’s context-memory function and creates unnecessary access to potentially sensitive application assets. Because the search is keyword-based and recursively reads .md and .json files, a user could use this feature to enumerate or retrieve information from other skills, increasing the risk of prompt leakage, internal metadata exposure, or secret disclosure if such data is stored there.

VirusTotal

No VirusTotal findings

View on VirusTotal