Back to skill

Security audit

Context Compressor

Security checks across malware telemetry and agentic risk

Overview

This skill is a context compressor with no malware-like behavior, but it can silently rewrite conversation state and promote user text into system-level instructions.

Review before installing. Use this only where you control the integration and can ensure system/developer instructions, security-critical tool outputs, credentials, and user requirements are preserved or excluded from compression. Avoid automatic use in sensitive workflows unless summaries are clearly marked as untrusted and user-derived.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill advertises automatic activation 'when context exceeds a threshold' without clearly constraining who authorizes compression, what content may be rewritten, or what safeguards preserve important instructions and evidence. In an agent system, over-broad auto-compression can silently alter context at the wrong time, causing loss of safety-relevant history, tool observations, or user requirements and leading to unsafe downstream decisions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase 'token 超限' is broad enough to match ordinary discussion about token limits rather than an intentional request to invoke this skill. That increases the chance of accidental skill activation, which could unexpectedly summarize or hide prior context and degrade reliability or safety in long-running tasks.

Ssd 3

Medium
Confidence
91% confidence
Finding
The conversation summarizer copies prior user and assistant content into a new system-role message, which elevates untrusted natural-language content into a higher-priority context channel. This can preserve and propagate sensitive data across turns and may also amplify prompt-injection content from earlier messages by reintroducing it as system context.

Ssd 3

High
Confidence
95% confidence
Finding
The structured note extractor regexes user and assistant messages for 'decision/finding/important/issue/plan' text and appends the extracted content directly into a system message. This promotes potentially sensitive or attacker-controlled content into a privileged prompt position, increasing both data leakage risk and the chance that malicious instructions embedded in earlier conversation are treated as authoritative context later.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.