Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 97% confidence
- Finding
- The skill’s declared purpose is narrow context management, but the documented behavior includes destructive session resets, direct deletion of session JSONL files, reinjection of content, and persistent writes to disk and configuration. That mismatch is security-relevant because it can mislead users into invoking operations that alter or destroy local state, and the use of AI-generated summaries as injected context also creates a prompt-injection persistence risk if prior session content was adversarial.
