Back to skill

Security audit

Cache Migration

Security checks across malware telemetry and agentic risk

Overview

This cache-migration skill needs Review because it can delete and permanently redirect local application folders and edit VSCode launch files without strong safeguards.

Install only if you are comfortable reviewing and running local PowerShell scripts that move, delete, and permanently redirect application folders. Back up important data first, close affected apps, verify exact source and destination paths, avoid system or broad profile paths, and prefer manual commands with confirmation and rollback.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script goes beyond transparent cache/data-directory migration by editing VSCode launcher scripts and the user's settings.json. Those changes alter application behavior and persistence outside the migrated directories, which increases blast radius and can break future updates, create hard-to-revert state, or silently redirect extension loading to an arbitrary path.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Directly rewriting installed wrapper scripts (code.cmd and the bash launcher) is risky because it tampers with vendor-managed files in the application install tree. A user-controlled destination path is inserted into launch arguments, so a bad or unexpected path can permanently change where VSCode loads extensions from, survive across sessions, and potentially be leveraged to load untrusted code from a less trusted location.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger scope is overly broad, including vague intents like '释放 C 盘空间' and '类似意图', which can cause the skill to activate for general storage-cleanup requests that do not clearly authorize directory migration, deletion, or junction creation. In this skill, activation leads to admin-level filesystem operations, so an imprecise trigger increases the chance of unintended destructive actions on user data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions explicitly direct deletion of the original directory as part of the workflow, but they do not require a prominent user-facing warning, backup confirmation, rollback plan, or explicit confirmation immediately before the destructive step. Because the skill is designed for arbitrary application data on Windows and runs with administrator privileges, a path mistake, partial copy, locked file, or wrong app selection could cause permanent data loss or application breakage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script unconditionally deletes the original source directory after copying, with no confirmation, no dry-run mode, no rollback, and no integrity check beyond a rough size comparison. In this skill's context, the source and destination are user-supplied arbitrary paths for developer tools, so a mistaken, expanded, or maliciously influenced path can cause destructive data loss or removal of important application data before the junction is safely validated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script deletes the original npm cache directory immediately after a best-effort copy that suppresses copy errors with SilentlyContinue, and it does so without any user confirmation or rollback path. In this skill context, the script is explicitly intended to move application data on a user workstation, so destructive behavior against real user state is more dangerous because partial copies, wrong destination paths, or in-use files can lead to silent data loss or broken npm behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.