RedactKit - AI Privacy Scrubber

Security checks across malware telemetry and agentic risk

Overview

This is a local redaction tool, but its reversible mode can leave plaintext copies of the original sensitive data in mapping files, including in a report mode users may expect to be read-only.

Review before installing if you handle real PII, credentials, or regulated data. Use non-reversible redaction unless restoration is necessary, keep mapping files out of repos and cloud sync, restrict or encrypt them, avoid combining --report with --mapping, and use narrow input/output directories for batch operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 82% confidence
Finding: The skill markets itself as a privacy scrubber, but the documented reversible design stores original sensitive values in JSON mapping files on disk and may process/rewrite files or directories. That creates a meaningful confidentiality risk: users may believe data is 'safe' after redaction while the full secrets remain recoverable from local artifacts, which can be exposed through weak file permissions, backups, logs, or accidental sharing.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The tool stores reversible redaction mappings containing the original sensitive values in plaintext JSON on disk. In a privacy-scrubbing skill that advertises local, privacy-preserving behavior, this creates a meaningful confidentiality risk because secrets and PII remain recoverable from the mapping file even after redaction.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: `redact_file()` documents report mode as not writing output, but it still calls `save_mapping()` when `mapping_path` is provided. This violates user expectations and can silently persist highly sensitive original data to disk during a mode that implies dry-run behavior, increasing the chance of accidental leakage.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill metadata presents this as a privacy scrubber for protecting data before AI use, but this module explicitly restores original sensitive values and writes them back to disk. That mismatch is dangerous because users may trust the package in high-sensitivity workflows while it contains a built-in de-redaction path that can re-expose secrets, PII, and other confidential content.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Bulk restoration of entire directories amplifies the blast radius of accidental or unauthorized de-redaction by making it easy to regenerate many sensitive files at once. In the context of a privacy-focused skill, this capability is riskier because it undermines the principle of minimizing exposure and can rapidly recreate a large corpus of unredacted data.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The module self-identifies as a restoration tool, which directly contradicts the advertised role of an AI privacy scrubber. This inconsistency increases the chance that operators or downstream systems will misclassify the package as purely protective when it also contains functionality that reverses privacy controls.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README promotes reversible redaction by saving a local mapping file that contains the original sensitive values, but the operational risk of that file is not highlighted at the point where users are instructed to create it. Because the tool is explicitly marketed for handling PII, secrets, and financial data before sharing with AI, an unprotected mapping file becomes a concentrated store of all sensitive content and can undermine the redaction workflow if exposed.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code writes mapping files that contain original redacted values without an explicit user-facing warning that secrets and PII will be retained in recoverable form. In the context of a privacy scrubber, users may reasonably assume the output reduces exposure, not that a sidecar file preserves all sensitive data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Batch mode can create redacted outputs and optional mapping files across a directory tree without a clear warning about filesystem modifications and retention of original sensitive data. This broadens the blast radius of accidental exposure because many files may be written, copied, or backed up with recoverable secrets preserved in parallel mapping files.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The tool writes restored plaintext directly to output files without any explicit warning that the resulting files contain newly exposed sensitive data. This creates a realistic risk of users saving secrets or PII into insecure locations, syncing them to cloud storage, or leaving them accessible to other local users or processes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal