Back to skill

Security audit

Wiki

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real personal-wiki helper, but it also performs persistent setup, git publication workflows, and optional memory reads that need careful review before use.

Install only if you want an agent-maintained wiki that can change your local Python environment, create git history, run an auto-starting localhost server, and optionally publish wiki contents to a git remote. Keep remote push disabled unless you have reviewed the destination, and do not enable heartbeat memory-gap detection unless you are comfortable with memory notes influencing wiki updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill’s declared purpose is knowledge-base maintenance, but the instructions also authorize package installation, git initialization/commits, optional remote sync, and creation of persistent OS-level services. That scope expansion is security-relevant because it turns a content-management skill into one that can modify the host environment, establish persistence, and potentially transmit data, all without clear up-front consent boundaries.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file says earlier that pushing is optional and requires `--push`, but the Build & Deploy section later states that every build pushes to remote. Contradictory operational guidance is dangerous because an agent may choose the more permissive interpretation and exfiltrate wiki contents to a remote unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The heartbeat extension explicitly broadens the wiki skill's data access beyond `~/wiki/` to read `heartbeat-state.json` and `memory/` notes. Even though it is described as optional, this creates cross-scope access where potentially sensitive agent memory can influence wiki maintenance, increasing the chance of unintended data exposure or use beyond the user's expected wiki boundary.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The documentation instructs the workflow to run `scripts/build.sh`, and the notes state that this script commits locally by default and may optionally push remotely. Triggering a repository script from a maintenance workflow introduces execution of arbitrary local code and can cause side effects such as commits or exfiltration via networked push behavior if the script is modified or misunderstood.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Using recent memory and daily notes to detect wiki gaps turns a wiki-linting feature into agent-wide content mining. This creates a channel where private or unrelated memory contents can be processed for a different purpose, potentially surfacing sensitive topics in the wiki or logs without clear user expectation or consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script creates persistent OS-managed services (LaunchAgent/systemd user service) and starts a local HTTP server automatically. That exceeds simple wiki bootstrapping and introduces background execution and persistence, which meaningfully expands attack surface even if the server binds only to 127.0.0.1.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The bootstrap script installs software via pipx/pip3, which is a system-modifying action with supply-chain and environment-integrity risk. For a wiki skill, automatic dependency installation is more privileged than content management and can unexpectedly alter the user's Python environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script initializes a git repository and can push to a user-supplied remote, introducing version-control publication and outbound network behavior beyond basic local wiki setup. If invoked with a remote, local content may be uploaded off-host without sufficient friction or confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Instructing the agent to always push after content changes creates a clear risk of transmitting potentially sensitive personal wiki contents off the local system without an explicit warning or confirmation step. In the context of a personal knowledge base, that data may include private notes, research, or conversation-derived material, making unintended remote sync materially harmful.

Natural-Language Policy Violations

Low
Confidence
82% confidence
Finding
The skill encourages proactively filing durable knowledge from conversations into a persistent wiki, which can capture user content beyond the immediate task if consent is implied rather than explicit. In a personal wiki context this is somewhat aligned with the skill’s purpose, but it still creates privacy and retention risk because users may not expect broad persistence of chat-derived material.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The workflow describes automatic writes to `docs/log.md`, fixes within `~/wiki/docs/`, and execution of a build script without a strong upfront warning about modification and version-control side effects. In an automated heartbeat context, these actions may occur without contemporaneous user awareness, making unintended file changes or commits more likely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script performs package installation, git setup/push, and persistent service creation without a strong upfront warning or interactive confirmation. These actions change the host environment and persistence state, so doing them silently increases the risk of unexpected system modification and data exposure.

Ssd 3

Medium
Confidence
91% confidence
Finding
The instructions say to file conversation-produced knowledge directly, update many related pages, and append activity to a durable log, but they provide no sensitivity filters or confirmation safeguards. This can cause broad persistence and propagation of private or incorrect user information across multiple files, increasing exposure and making later cleanup difficult.

Ssd 3

Medium
Confidence
90% confidence
Finding
The append-only, grep-friendly log format preserves sources, touched pages, and summaries in a durable audit trail, which can unintentionally retain sensitive filenames, URLs, or user-derived summaries even after primary content is changed. Because the log is explicitly designed to be persistent and easy to parse, it increases the blast radius of any sensitive ingestion.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.