Back to skill

Security audit

knowledge-advisor

Security checks across malware telemetry and agentic risk

Overview

This skill coherently manages a local book-based knowledge base, with file changes and URL fetching tied to user-directed ingest, sync, and remove workflows.

Install if you want a local, file-based knowledge advisor for books and articles. Use it with the expectation that finalized ingestions will write extracted content and source metadata into knowledge-base/, sync will rewrite local indexes, and remove can delete a selected book directory after confirmation. Avoid giving it private documents or sensitive URLs with tokens/query strings unless you are comfortable storing that information locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill explicitly authorizes shell-script execution for KB initialization and maintenance (`init-kb.sh`, later rebuild scripts) even though its primary role is advisory/knowledge management. That expands the skill from read/query behavior into code execution and filesystem mutation, which increases risk if paths, scripts, or workspace contents are attacker-controlled or unexpectedly modified.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The Sync and Remove workflows depend on running a rebuild shell script after content changes. In a skill that handles user-supplied book data and book-directory manipulation, this creates an unnecessary command-execution surface where malicious workspace state, altered scripts, or path confusion could lead to unintended actions beyond index rebuilding.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases include broad natural-language expressions such as 'advise me' and 'how should I handle,' which can match ordinary conversation and cause unintended invocation of a skill that reads, writes, syncs, and deletes knowledge-base files. In this skill context, accidental activation is more dangerous because the skill has filesystem-modifying workflows, including initialization, rebuild, and removal operations.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The Telegram UX guidance instructs the agent to fetch arbitrary user-supplied URLs and persist the source URL in metadata, but it does not require an explicit notice or consent step for outbound network access or metadata retention. This creates a real privacy/transparency issue: users may not expect the system to contact third-party servers immediately or to store the original URL, which can embed sensitive query strings, document IDs, or internal locations.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include common language such as 'advise me' and 'how should I handle,' which can cause accidental invocation in ordinary conversation. Because this skill can write files, delete directories, and run scripts, unintended activation is more dangerous than in a read-only skill and may lead to unwanted state changes or processing of sensitive content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill performs system-modifying actions—creating KB directories, writing multiple files, deleting book directories, and invoking scripts—without an upfront warning in the skill contract that it mutates local state. Users may invoke it expecting advice/search only, while the skill can persist or remove data in the workspace.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Telegram UX guidance explicitly tells the agent to fetch arbitrary user-supplied URLs and store the source URL in metadata, but it provides no consent language, allowlist restrictions, or safeguards around internal/private addresses. In a skill that ingests and persists knowledge sources, this can enable unintended external requests, privacy leakage, and storage of sensitive URLs supplied by users, especially if operators or users are unaware that network access and retention occur.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.