Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 94% confidence
- Finding
- The skill is presented as a simple conversation-learning logger, but the documented behavior extends into session-wide hook injection, automatic prompt-triggered reminders, tool-output scanning, and skill scaffolding. This mismatch is dangerous because operators may enable it with a much broader trust boundary than intended, causing unexpected persistence, monitoring, and modification behavior across sessions.
