Back to skill

Security audit

Smart Context Manager

Security checks across malware telemetry and agentic risk

Overview

This context-management skill appears purpose-aligned, but it can persist sensitive session content and destructively replace sessions in ways users should review carefully before installing.

Install only if you are comfortable with a tool that can read and locally store session transcripts and repository context, and use any replace/reset mode only after confirming backups and reviewing what summary will be injected into the new session. Avoid using it on sessions containing secrets or highly sensitive project data unless you first redact or delete generated artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill’s declared purpose is narrow context management, but the documented behavior includes destructive session resets, direct deletion of session JSONL files, reinjection of content, and persistent writes to disk and configuration. That mismatch is security-relevant because it can mislead users into invoking operations that alter or destroy local state, and the use of AI-generated summaries as injected context also creates a prompt-injection persistence risk if prior session content was adversarial.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest description understates that the skill can reset sessions by deleting underlying session files and then reinjecting generated content. This is dangerous because users may trust the skill as simple context management while unknowingly invoking destructive operations that can erase state, preserve malicious instructions in compressed form, or alter future agent behavior.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
Labeling the summarize operation as 'read-only, safe' is inaccurate because it writes AI-generated summaries to disk. While the write itself is not highly severe, inaccurate safety labeling can cause users to run the command in environments where persistence of sensitive session data to local storage is not acceptable.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The repeated 'Safe, Read-Only' description again misrepresents the command’s behavior by omitting that summary artifacts are created on disk. Repetition of the misleading label increases the chance that users underestimate confidentiality and persistence risks associated with summarizing sensitive conversations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill's stated purpose is context management, but the --replace flow goes beyond summarization and monitoring by resetting live session state and recreating context in a fresh session. That is a destructive state-management capability that can alter or erase active agent history, making mistakes or misuse materially more harmful than the description suggests.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script directly deletes the OpenClaw session JSONL file as an implementation detail for resetting a session. Deleting internal state files is destructive, bypasses safer platform controls, and can irreversibly destroy conversation history or corrupt expected session behavior if the file path or target session is wrong.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script extracts full session transcripts, working directory information, git status, and recent commits, then writes them to persistent files. This exceeds minimal context monitoring and creates a local archive of potentially sensitive conversational and repository data that may include secrets, code, or user-provided information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script persists transcript and summary content to disk without an upfront, user-facing consent or warning that local files will contain conversation contents and repository metadata. Users may unknowingly create sensitive local artifacts that outlive the session and are readable by others with filesystem access.

Missing User Warnings

High
Confidence
99% confidence
Finding
The --replace mode performs a destructive delete of the live session file without prompting the user for confirmation at execution time. A typo, misunderstanding, or automation context could therefore erase an active session unexpectedly, even though the operation is materially riskier than ordinary summarization.

Ssd 3

Medium
Confidence
93% confidence
Finding
The compression flow copies large portions of the conversation into transcript and summary files, which can include sensitive user prompts, code, credentials, or internal reasoning-relevant context. Persisting this data increases exposure surface and retention beyond the original session lifecycle.

Ssd 3

Medium
Confidence
89% confidence
Finding
Injecting compressed prior context into a fresh session intentionally carries forward conversation details into a new context boundary. This can propagate sensitive data farther than users expect, and if the summary is overbroad or contains secrets, the new session inherits unnecessary exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.