Back to skill

Security audit

Caveman Compress

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: compresses user-selected natural-language memory files with Claude, backs up the original, and avoids obvious code or secret files.

Install only if you are comfortable sending the selected memory file to Claude/Anthropic for processing. Do not run it on files containing secrets or private notes you would not upload to a third-party model, and use the explicit /caveman:compress <filepath> form so the target file is clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to read files, write backups and overwrite originals, invoke a Python module, and potentially use environment variables, yet it declares no permissions. This creates a transparency and policy-enforcement gap: users and hosting systems cannot accurately assess or restrict the skill's real capabilities, increasing the chance of unintended file modification or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The description says the skill compresses memory files, but the process reveals materially different behavior: it sends file contents to Claude, performs automated retry/fix passes, and applies broader file targeting rules. Undisclosed exfiltration of file contents to an external LLM is especially dangerous for memory files, which often contain secrets, internal notes, credentials, or sensitive project context.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is presented as a file compression utility, but its core operation sends full file contents to Anthropic or the Claude CLI, crossing a third-party data boundary. In the context of memory files like `CLAUDE.md`, todos, and preferences, this can disclose internal project information, personal notes, or other sensitive text even though some obvious secret filenames are blocked.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase 'compress memory file' is broad enough to match ordinary conversation, which can cause unintended activation of a skill that overwrites files and invokes shell/Python tooling. Because this skill performs destructive modification of user files and may transmit contents externally, accidental triggering materially raises risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation rule 'when user asks to compress a memory file' is ambiguous and leaves too much discretion for when the skill should run. In context, that ambiguity is risky because the skill can read arbitrary natural-language files, overwrite them, create backups, and call an external model, so an imprecise trigger can lead to unintended execution and data exposure.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
def call_claude(prompt: str) -> str:
    api_key = os.environ.get("ANTHROPIC_API_KEY")
    if api_key:
        try:
            import anthropic
Confidence
70% confidence
Finding
os.environ.get("ANTHROPIC_API_KEY

Unvalidated Output Injection

High
Category
Output Handling
Content
pass  # anthropic not installed, fall back to CLI
    # Fallback: use claude CLI (handles desktop auth)
    try:
        result = subprocess.run(
            ["claude", "--print"],
            input=prompt,
            text=True,
Confidence
95% confidence
Finding
subprocess.run( ["claude", "--print"], input=prompt, text=True, capture_output

Credential Access

High
Category
Privilege Escalation
Content
# Filenames and paths that almost certainly hold secrets or PII. Compressing
# them ships raw bytes to the Anthropic API — a third-party data boundary that
# developers on sensitive codebases cannot cross. detect.py already skips .env
# by extension, but credentials.md / secrets.txt / ~/.aws/credentials would
# slip through the natural-language filter. This is a hard refuse before read.
SENSITIVE_BASENAME_REGEX = re.compile(
    r"(?ix)^("
Confidence
90% confidence
Finding
~/.aws/credentials

Credential Access

High
Category
Privilege Escalation
Content
SENSITIVE_BASENAME_REGEX = re.compile(
    r"(?ix)^("
    r"\.env(\..+)?"
    r"|\.netrc"
    r"|credentials(\..+)?"
    r"|secrets?(\..+)?"
    r"|passwords?(\..+)?"
Confidence
80% confidence
Finding
.netrc

Credential Access

High
Category
Privilege Escalation
Content
# Filenames and paths that almost certainly hold secrets or PII. Compressing
# them ships raw bytes to the Anthropic API — a third-party data boundary that
# developers on sensitive codebases cannot cross. detect.py already skips .env
# by extension, but credentials.md / secrets.txt / ~/.aws/credentials would
# slip through the natural-language filter. This is a hard refuse before read.
SENSITIVE_BASENAME_REGEX = re.compile(
    r"(?ix)^("
Confidence
70% confidence
Finding
secrets.txt

Credential Access

High
Category
Privilege Escalation
Content
# Filenames and paths that almost certainly hold secrets or PII. Compressing
# them ships raw bytes to the Anthropic API — a third-party data boundary that
# developers on sensitive codebases cannot cross. detect.py already skips .env
# by extension, but credentials.md / secrets.txt / ~/.aws/credentials would
# slip through the natural-language filter. This is a hard refuse before read.
SENSITIVE_BASENAME_REGEX = re.compile(
Confidence
60% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# Extensions that are code/config and should be skipped
SKIP_EXTENSIONS = {
    ".py", ".js", ".ts", ".tsx", ".jsx", ".json", ".yaml", ".yml",
    ".toml", ".env", ".lock", ".css", ".scss", ".html", ".xml",
    ".sql", ".sh", ".bash", ".zsh", ".go", ".rs", ".java", ".c",
    ".cpp", ".h", ".hpp", ".rb", ".php", ".swift", ".kt", ".lua",
    ".dockerfile", ".makefile", ".csv", ".ini", ".cfg",
Confidence
60% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
if ext in COMPRESSIBLE_EXTENSIONS:
        return "natural_language"
    if ext in SKIP_EXTENSIONS:
        return "code" if ext not in {".json", ".yaml", ".yml", ".toml", ".ini", ".cfg", ".env"} else "config"

    # Extensionless files (like CLAUDE.md, TODO) — check content
    if not ext:
Confidence
60% confidence
Finding
.env"

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.