Security audit

Workspace Zip Backup

Security checks across malware telemetry and agentic risk

Overview

This is a local markdown backup tool, but its restore script can overwrite files somewhere other than the destination the user requested.

Review before installing. The skill does not show network exfiltration or hidden execution, but do not run its restore script from an important directory until the destination bug is fixed. Restore into an empty staging directory, inspect the archive contents first, and keep backup zip files private because they may contain notes, skills, or memory data.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The restore script accepts a TARGET_DIR parameter and even creates that directory, but the actual extraction command is `unzip -o "$BACKUP_ZIP"` without `-d "$TARGET_DIR"`. As a result, files are restored into the current working directory or embedded archive paths instead of the intended target, which can overwrite unexpected files and misplace restored content.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The documentation states that restore creates and uses the target directory, but the code never passes that directory to `unzip`. This mismatch is dangerous because operators may believe restoration is isolated to a safe destination when it can instead write elsewhere, increasing the chance of unintended overwrites or data corruption.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The help text and examples tell users they can restore to a specified location, but the script ignores that parameter during extraction. This is a real safety issue because users may direct a restore at an alternate path expecting containment, while the archive is actually extracted somewhere else based on the current directory or stored paths.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly states that backups made with absolute paths will restore to the same paths, but it does not prominently warn that restore may overwrite existing files or recreate paths outside the intended workspace. In a backup/restore skill, this is dangerous because a user can unintentionally modify or replace existing markdown files during recovery, especially if archives are restored without inspection.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill is designed to package all `.md` files, including notes, skill docs, and memory files, into a portable archive for transfer or sharing, but it does not prominently warn that these files may contain sensitive information. In this context, the tool increases accidental data exposure risk because its stated use cases include migration and sharing.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The restore flow uses `unzip -o`, which overwrites existing files, but the instructions around restore do not clearly warn users of overwrite behavior. In a workspace context, that can destroy or silently replace current notes and skill files, especially because the archive may not restore into the intended directory.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.