Back to skill

Security audit

CrabPath

Security checks across malware telemetry and agentic risk

Overview

CrabPath appears to be a legitimate memory-graph tool, but it can persistently change agent memory and send or store sensitive workspace and query data without strong consent controls.

Install only if you are comfortable with an agent maintaining persistent memory over selected workspaces. Prefer the hash/local path for sensitive data, review every OpenAI-backed example or adapter before use, restrict indexed workspace and session paths, secure or rotate journal/fired logs, and require explicit approval for learn, inject, sync, maintain, merge, prune, and compact actions in high-trust environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This example adapter hard-requires an OpenAI API key and is designed to send derived workspace/session content to OpenAI for embeddings and chat completions. In the context of a skill described as a pure memory-graph engine with caller-provided callbacks, this creates an unexpected outbound data flow and external dependency that can expose sensitive local data if users run the example without understanding the privacy implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends raw node content and query text to the OpenAI embeddings API via `client.embeddings.create(...)`. Because the dataset includes paragraph content and questions, this creates an external data egress path without any explicit notice, consent gate, redaction, or configuration to prevent sensitive content from being transmitted. In a benchmark script this is often intentional, but it is still a real privacy/security concern if users run it on non-public or regulated data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function sends raw file names and full node content to caller-provided LLM callbacks, which can forward that data to external services without any built-in consent, minimization, or policy checks. In a memory/graph engine, node content may contain sensitive cross-file context, so this creates a real data-exposure risk even though the feature appears intended for legitimate connection scoring.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
When OPENAI_API_KEY is present, query text is sent to a remote embeddings API automatically, which can exfiltrate sensitive user input or memory contents to a third party without an explicit opt-in at the daemon interface. In a long-running memory engine, queries may contain confidential prompts, identifiers, or internal knowledge, so silent network transmission materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persistently records raw query text, fired IDs, node counts, and optional metadata to a local JSONL journal by default, but there is no indication of user notice, consent, minimization, or redaction. In a memory/query engine, queries and metadata can easily contain sensitive prompts, personal data, secrets, or proprietary context, so silent telemetry storage creates a real privacy and data exposure risk even if the file remains local.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends raw node contents directly to caller-provided LLM callbacks for merge decisions, which can expose potentially sensitive memory graph data to an external model provider or logging pipeline. In this skill's context, the graph appears to hold memory-like content, so undisclosed transmission to an LLM increases privacy and data-handling risk even if the callback is optional and caller-supplied.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code forwards the raw query and retrieved chunk contents to a caller-supplied LLM callback for scoring, which can send that data to an external service. Because queries and retrieved nodes may contain sensitive user data, documents, or secrets, this creates a real confidentiality/privacy exposure if used without explicit consent, filtering, or deployment controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`generate_summaries` sends each node's full `content` to the caller-provided LLM callback as the `user` prompt. In a memory/workspace engine, that content may include source code, secrets, proprietary docs, or personal data, and the function provides no built-in disclosure, consent gate, redaction, or safety control before exfiltrating data to an external model endpoint. The skill context makes this more dangerous because the library is explicitly designed to process workspace contents at scale, so accidental bulk transmission is a realistic outcome.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
`split_workspace` reads workspace files and, when LLM splitting is enabled, sends full file text in `llm_requests.append({"id": rel, "system": SPLIT_PROMPT, "user": text})`. This can exfiltrate sensitive repository contents to an external LLM service without any user-facing warning or mandatory acknowledgement, and the skill context increases risk because the feature operates over entire workspaces rather than isolated snippets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs operators to use an OPENAI_API_KEY and OpenAI embeddings but does not warn that workspace content may be transmitted to a third-party provider or that API keys must be handled securely. In a memory/knowledge-base system, operators may embed sensitive internal documents, so missing privacy and credential-handling guidance can lead to unintended data exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation recommends logging query traces, fired node IDs, and learning outcomes without noting that these records may contain user prompts, retrieved content, or sensitive operational context. Because this skill is a memory graph engine intended for agent knowledge and query handling, these logs are especially likely to accumulate sensitive data and create a durable leakage surface.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When --chat-id is provided, the script silently persists the raw query text, fired node identifiers, and a timestamp to a local JSONL file. Queries and retrieved node IDs can contain sensitive user data, prompts, or internal memory references, and the lack of explicit disclosure/consent increases privacy and data-retention risk, especially in shared environments or when state files live in synced/workstation-accessible directories.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly directs users to run an example that uses real OpenAI embeddings, but it does not disclose that workspace content may be transmitted to a third-party API over the network. In a memory graph or document-processing context, users may reasonably supply sensitive local data, so the missing privacy and data-flow warning creates a real risk of unintended data exfiltration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
At this point in execution, workspace-derived text nodes are embedded through the OpenAI client, which sends potentially sensitive content from the local workspace to a third-party service. Because this is an example adapter and there is no explicit user-facing consent or disclosure in the code path, users may unintentionally exfiltrate proprietary or private data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The chat completion callback transmits session query text to the OpenAI API, which may include prompts, secrets, internal file contents, or user data. Even though the input is truncated to 4000 characters, the code still creates undisclosed outbound transfer of potentially sensitive session content to an external provider.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
When --chat-id is used, the script writes chat IDs, raw query text, and fired node history to fired_log.jsonl without user warning, access controls, minimization, or configurable retention beyond a fixed TTL. In an agent or shared execution environment, this can expose sensitive prompts, identifiers, and graph traversal history to other local users or subsequent processes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script embeds workspace markdown, learning-database content, and replay-derived text through the OpenAI embeddings API without any consent gate, redaction, or warning. Because these sources may contain proprietary data, secrets, personal data, or sensitive session history, this creates an external data-exfiltration/privacy risk that is amplified by the script's role as a bulk rebuild tool over multiple agent workspaces.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
When OPENAI_API_KEY is present, the script enables external embedder and LLM callbacks without explicit user disclosure at runtime that state-derived content may be transmitted to a third-party service. In a maintenance workflow over memory-graph state, that can lead to unintended data egress of potentially sensitive graph contents or summaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.