Back to skill

Security audit

everything-search-breadmemory

Security checks across malware telemetry and agentic risk

Overview

The skill’s goal is understandable, but it understates local file access, persistent knowledge storage, automation, and runtime executable download behavior.

Install only if you are comfortable with an agent searching local filenames, potentially reading matched files when workflows are used, storing summaries and backups locally, and downloading Everything CLI at runtime. Prefer manual installation of a verified es.exe, limit searches to explicit directories, avoid scheduled ingestion until scoped, and review/delete the local data and backup files if sensitive content is stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill metadata understates its effective capabilities: the documentation describes invoking Python scripts, interacting with local files, and potentially downloading and placing an external executable, which implies shell/process execution, file read/write, and network access. This mismatch is dangerous because users and policy engines may grant trust based on a LOW permission profile while the skill can perform materially broader actions.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The skill states it only searches file paths and does not read or modify file contents, yet it also advertises adding, storing, searching, and graphing arbitrary knowledge content. This inconsistency can mislead users about what data is being processed or retained, increasing the risk of unintentional exposure, persistence of sensitive information, or overbroad trust in the skill's privacy boundaries.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This CLI is not limited to passive local search: it exposes administrative IPC actions such as saving the database, reindexing, and interacting with Everything instance state. In a skill context, these side-effecting operations expand the attack surface because an agent or caller may trigger system-changing behavior when only search was expected.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code implements remote process-control by sending WM_CLOSE to the Everything window and then waiting for the target process to terminate. In an agent skill, this enables denial-of-service against the user's local search service and may disrupt dependent workflows without any interactive confirmation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script is presented as a local file-search wrapper, but it also downloads, extracts, and later executes an external binary. Expanding a local-search skill into software installation materially changes the trust boundary and introduces supply-chain and unexpected code-execution risk for users who only expected local functionality.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill has network capability to fetch a ZIP containing an executable from the internet and then relies on that executable locally. Even though the source URL is HTTPS and appears legitimate, downloading executable content at runtime creates a supply-chain risk and can lead to arbitrary code execution if the source, transport, or hosting account is compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill indicates that on first use it may guide a download and automatically place es.exe into the skill directory, but this is not surfaced as a prominent warning in the top-level description or permissions posture. Introducing an external executable is security-sensitive because it changes the trust boundary, may enable arbitrary local process execution, and could be abused if the download source or integrity verification is weak or omitted.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
Destructive or state-changing controls are exposed without any built-in confirmation dialog, dry-run behavior, or warning path. That makes accidental or indirect invocation by an agent materially more dangerous, especially in automation scenarios where commands may be assembled from natural language.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrase for the search-and-save workflow is broad enough that an agent could interpret ordinary requests as authorization to search local files, read matched content, summarize it, and persist extracted data. In a skill that touches local files and knowledge storage, weak scope constraints increase the chance of unintended data access and retention.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The daily review trigger examples are conversational and could be matched during ordinary dialogue, causing the agent to retrieve and display stored knowledge entries without a deliberate workflow invocation. While less severe than file ingestion, it still risks exposing previously stored sensitive notes or metadata unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The automated ingestion workflow describes unattended local file searching, reading, summarization, and storage without any warning, approval checkpoint, or data-minimization guidance. In this skill context, that can result in sensitive local content being processed and persisted automatically, amplifying privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The scheduler examples encourage unattended recurring execution of analysis and processing commands, but do not warn that they may continuously access local data or update stored knowledge without active supervision. This increases the risk of silent over-collection, repeated processing of sensitive files, and persistence of derived information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The search workflow can implicitly trigger a download and ZIP extraction into the skill directory when es.exe is unavailable, yet this side effect is not obvious from the function contract. Hidden network and write behavior increases the chance of surprising users, bypassing expected review, and introducing unauthorized executable content into the environment.

Unbounded Resource Access

Medium
Category
Excessive Agency
Content
else
				if (es_check_param(es_argv,L"no-time-out"))
				{
					es_timeout = 0;
				}
				else
				if (es_check_param(es_argv,L"ad"))
Confidence
74% confidence
Finding
timeout = 0

Unvalidated Output Injection

High
Category
Output Handling
Content
def get_review_records():
    """从 breadcrumb.py 获取复习记录"""
    result = subprocess.run(
        [sys.executable, BREADCRUMB_PY, "review-records"],
        capture_output=True, text=True, encoding="utf-8", errors="replace"
    )
Confidence
95% confidence
Finding
subprocess.run( [sys.executable, BREADCRUMB_PY, "review-records"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
调用拓扑甜甜圈引擎,获取关联面包屑
    """
    try:
        result = subprocess.run(
            [sys.executable, TOPOLOGY_DONUT_PY, "expand", "--id", entry_id],
            capture_output=True, text=True, encoding="utf-8", errors="replace"
        )
Confidence
95% confidence
Finding
subprocess.run( [sys.executable, TOPOLOGY_DONUT_PY, "expand", "--id", entry_id], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
try:
        # es.exe 输出编码取决于控制台代码页,中文 Windows 默认 GBK。
        # 先尝试 UTF-8,若包含替换字符则回退到 GBK。
        raw = subprocess.run(
            cmd,
            capture_output=True, timeout=30
        )
Confidence
95% confidence
Finding
subprocess.run( cmd, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
everything_running = False
    if ok:
        try:
            r = subprocess.run([path], capture_output=True, timeout=5)
            everything_running = r.returncode != 8  # 8 = Everything service not running
        except Exception:
            pass
Confidence
95% confidence
Finding
subprocess.run([path], capture_output

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High
Category
YARA Match
Content
| **Claude Code** | `.claude/settings.json` hooks | 同 cron 语法 |
| **GitHub Actions** | `.github/workflows/` YAML | `on: schedule: - cron: '0 2 * * *'` |
| **通用(手动)** | 用户手动执行 | `python topology_donut.py generate` |
Confidence
75% confidence
Finding
crontab -e` 添加定时任务 | `0 2 * * * python

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.