Context Relay

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local memory helper, but it gives agents persistent project-state and commit authority without clear user approval boundaries.

Install only if you want agents to maintain durable project memory in local files. Require confirmation before initialization, writes, cleanup, or any git commit; avoid storing secrets or sensitive private notes in the context files; and run the initializer without --force unless you intentionally want to overwrite existing context files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly instructs writing and updating multiple project files and references an initialization script, but it declares no permissions or safety boundaries. That mismatch can cause an agent or reviewer to underestimate its ability to modify local state, increasing the risk of unintended file changes or abuse in sensitive directories.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The description frames the skill as a memory continuity mechanism, but the documented behavior includes filesystem inspection, file creation, overwriting templates, and committing changes. This behavior-description gap is dangerous because it obscures material side effects, making it easier for the skill to be invoked in contexts where users do not expect repository modification.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file documents a persistent, agent-managed cross-session todo system that materially expands the skill's behavior beyond simple context relay. That creates hidden statefulness and authorization creep: an agent could begin tracking, prioritizing, and continuing work across sessions without explicit user consent, which is risky in a skill whose stated purpose suggests passive context transfer rather than autonomous task management.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The text explicitly says the agent manages the todo list autonomously and is not dependent on user instructions, authorizing self-directed task creation and review. This is dangerous because it encourages the agent to take durable actions and make workflow decisions outside the user's immediate request, increasing the chance of unauthorized persistence, scope drift, and surprising behavior across sessions.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger words are broad concepts like 'memory fragmentation,' 'cross-session,' and 'persistent context,' which can match many benign conversations and cause accidental activation. Unintended invocation is risky here because the skill's workflow includes reading project files, updating state, and potentially committing changes, so vague triggers expand the chance of unauthorized or surprising side effects.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The workflow explicitly tells the agent to update state files, append decisions, update todos, and commit file changes, yet it does not instruct the agent to warn the user or obtain approval before modifying the repository. In a security context, silent writes and commits are dangerous because they can alter source trees, pollute version history, or overwrite trusted project artifacts without informed consent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The cron-task guidance explicitly instructs autonomous behavior: reading project state, performing a scheduled operation, updating state.json, and sending a notification via a message tool, but it does not require prior user opt-in, scope limits, or confirmation before modifying files or messaging. In an agent skill, this creates a real safety issue because scheduled execution can cause unintended state changes or outbound communications without the user's contemporaneous awareness, especially after restarts or in heartbeat contexts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation instructs the agent to manage todos.json across sessions but does not clearly warn that this involves reading and modifying persistent workspace data. In the context of a context-relay skill, this is more dangerous because users may expect ephemeral memory transfer, not silent persistence of task state that can survive restarts and influence future behavior.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The cleanup guidance allows cancelled tasks to be removed, but it does not clearly warn that data deletion may occur or require confirmation. Even if framed as optional, undocumented deletion behavior in a persistent file can lead to loss of audit trail, user confusion, and unintended destruction of potentially important task history.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal