Back to skill

Security audit

Session Digest

Security checks across malware telemetry and agentic risk

Overview

This skill is a local daily chat digest, but it broadly collects all agents' conversation logs and leaves raw chat excerpts in a predictable temporary file before saving a persistent memory summary.

Install only if you are comfortable with all local agents' daily conversations being collected into a raw plaintext file and summarized into long-lived memory. Before using it, confirm whether cron is actually installed, restrict the script to selected agents or sessions where possible, avoid running it on sensitive work, and remove or protect the temporary transcript after summarization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a benign daily summary feature, but its documented/observed behavior includes aggregating all active agents' session data and writing raw extracted conversations to a temporary file. That mismatch is dangerous because users may authorize or deploy it without realizing it performs broad cross-session data collection and stages sensitive content outside the intended memory path, increasing privacy exposure and the chance of unintended disclosure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script writes extracted conversation content from agent session logs into a plaintext file under /tmp, which diverges from the declared behavior of summarizing into a memory file and materially increases exposure of raw sensitive content. Temporary directories are commonly accessible to other local processes or users depending on system configuration, so this design can leak private conversation data and bypass user expectations about where summaries are stored.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script enumerates every agent directory and reads all session logs for the selected date, which is broader than the stated purpose of summarizing a user's current-day dialogue. In a multi-agent environment this creates unnecessary cross-context data aggregation, potentially exposing unrelated conversations, secrets, or role-isolated information to the summarization workflow and any downstream consumer of the extracted file.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill automates persistent processing of conversation histories across agents, but the description does not prominently warn users that all active agents' sessions are read and that a daily memory artifact is created automatically. In this context, missing disclosure is security-relevant because it undermines informed consent for sensitive data aggregation and persistence, especially under unattended cron execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script stores extracted conversation data in /tmp without prior disclosure in the skill description and only reports the location after the file has already been created. Because the content includes raw session text across agents, this silent write can create an unexpected privacy exposure and leaves sensitive data in a location that may be monitored, backed up, or read by other local actors.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.