context-compression-claude-code

Security checks across malware telemetry and agentic risk

Overview

This is a real context-compression helper, but it may persist sensitive conversation details, including credentials or configuration, into long-term memory and can be configured to run automatically.

Review before installing. Use it only if you are comfortable with selected conversation history being saved to a memory file, and do not allow it to store passwords, API keys, tokens, private account details, or sensitive paths/configuration. Enable the optional auto-compaction hooks only if you want memory updates to happen automatically, and inspect/delete the memory file periodically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly treats 'key credentials or config' as content to preserve and later write into a memory file, which exceeds the minimum data needed for context compression. Persisting secrets during summarization materially increases the attack surface by turning transient sensitive data into durable stored data that could be exposed, reused, or leaked later.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation criteria are broad enough to trigger on ordinary long conversations or vague phrases like 'summarize' or 'clean up,' which can cause the skill to run without a clearly bounded user expectation of durable memory updates. In this skill's context, accidental triggering matters because execution includes compressing history and writing a memory file, creating privacy and integrity risks from over-collection or unwanted persistence.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The top-level description says the skill 'writes a structured memory file' but does not clearly warn users, at trigger time, that portions of their conversation may be persisted beyond the immediate session. Because this is a context-compression skill that may auto-trigger, insufficient notice undermines informed consent and increases the chance that sensitive or private content is stored unexpectedly.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The instruction to preserve 'key credentials or config' lacks any warning, restriction, or redaction requirement for sensitive data. In a memory-writing workflow, this omission is dangerous because it normalizes retaining secrets as durable state, substantially increasing the consequences of later compromise, logging exposure, or cross-task misuse.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manual trigger phrases are broad enough to overlap with ordinary user requests such as summarizing or cleaning up a conversation, which can cause the skill to activate unexpectedly. In this skill's context, unintended activation is more dangerous because the compression workflow is paired with hooks and memory-writing behavior, so a normal conversational request may indirectly lead to persistence of user data or loss of important context.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The PostCompact prompt explicitly directs the agent to write user preferences, incomplete tasks, and important decisions to a memory file without any user-facing notice, consent check, or data-minimization rule. This creates a privacy and data-governance risk because sensitive personal or behavioral information may be persisted automatically during routine compression events.

Ssd 3

High

Confidence: 99% confidence
Finding: This is a direct sensitive-data handling flaw: the skill instructs preserving and writing credentials into a memory file. In the context of a compression utility, this is especially dangerous because the feature's purpose is summarization, not secret management, so retaining secrets is unnecessary and creates a durable repository of highly exploitable data.

Ssd 3

Medium

Confidence: 97% confidence
Finding: This prompt plainly instructs persistent storage of user-derived information in a memory file, which can include preferences, tasks, and decisions that reveal personal habits or sensitive context. Because it is embedded in an automated post-compaction workflow, the storage may occur without meaningful review or explicit user approval, increasing the risk of silent retention.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The OpenClaw post-compaction prompt semantically tells the agent to store user preferences, incomplete tasks, and decisions after compression, again without an explicit consent or privacy-control step. The skill context makes this more dangerous because it is designed for automatic use when context fills up, so persistence can happen regularly and quietly as part of normal operation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal