Security audit

Chat Distill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed chat-style analysis and mimicry skill that reads user-provided chat exports, but users should handle the privacy and impersonation risks carefully.

Install only if you are comfortable letting the agent read the selected chat export. Use chats you own or have permission to analyze, redact sensitive details first, avoid saving reusable style profiles in shared places, and do not present generated mimicry as someone else's authentic words without consent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill instructs the agent to read user-supplied chat export files, which is a sensitive capability, but no explicit permissions are declared. Undeclared file access weakens transparency and policy enforcement, making it easier for a skill to process private local data without clear user or platform-level review. In this context, the data being read is especially sensitive because chat exports often contain personal, confidential, and third-party information.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: A mismatch between the declared description and the actual behavior is a security and trust issue because it prevents users and reviewers from understanding what the skill really does. If the implementation supports additional formats or performs different operations than described, it can expand data ingestion or create hidden processing paths, especially problematic for private chat archives and impersonation-style outputs. Here, the skill’s purpose already carries privacy and impersonation risk, so any undocumented capability increases the chance of misuse or unsafe deployment.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The invocation description is broad enough that the skill may activate for common requests about chat analysis or tone imitation without sufficient gating. Over-triggering is dangerous here because the skill handles potentially sensitive chat logs and can be used to imitate a real person’s writing style, raising privacy, consent, and social-engineering concerns. In a context centered on mimicry, broad invocation increases accidental or inappropriate use.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill explicitly analyzes chat exports and generates replies in someone else’s voice, but the description omits any warning about privacy, consent, or impersonation abuse. That omission is significant because users may submit highly sensitive conversations involving people who did not consent, and generated outputs may facilitate deception, fraud, or targeted social engineering. The surrounding skill context makes this more dangerous, not less, because voice mimicry from personal chats is inherently dual-use.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The parser guidance accepts a very generic `Name: msg` pattern as a valid chat format, which can cause arbitrary colon-delimited text to be misclassified as structured conversation. In a skill that distills writing style from chat exports, this can let unrelated notes, prompts, or injected content be treated as speaker messages, contaminating analysis and enabling prompt/content injection into downstream style generation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.