Back to skill

Security audit

para-pkm

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate PARA knowledge-base helper, but its file-changing scripts are not tightly scoped and can overwrite or delete files if given unsafe paths.

Review before installing. Use it only on a backed-up knowledge base, run scripts from the intended KB root, avoid absolute paths or ../ traversal, and check archive and output paths carefully. The concern is accidental local file overwrite or deletion, not hidden network activity or credential theft.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to run local Python scripts that create, validate, reorganize, and archive knowledge-base content, which implies file read/write behavior. Because those capabilities are not explicitly declared, callers and enforcement layers may underestimate what the skill can do, reducing transparency and weakening permission-based safety controls. In this context the behavior is expected for a PKM management skill, but the undeclared capability still creates real risk of unintended filesystem access or modification.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script accepts either absolute paths or KB-relative paths and only checks that the file exists before reading, copying, and deleting it. That means a caller can archive and unlink arbitrary files outside the intended projects/active area, which is dangerous because this skill is for managing a knowledge base and may be run with broad filesystem access by an agent or user who assumes it is scoped to project files.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring claims the script moves completed projects from projects/active/ to archives, but the implementation never enforces that contract. This mismatch creates a security boundary illusion: users or higher-level agents may trust the documented scope while the code actually permits moving and deleting any existing file path, increasing the chance of unintended data loss or abuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.