Kb Mini

Security checks across malware telemetry and agentic risk

Overview

This is a coherent knowledge-base skill, but it needs Review because it can automatically store full conversation turns, including secret-like content, in persistent private or shared databases without strong safeguards.

Review before installing. Use private KB mode for sensitive work, avoid enabling automatic after-turn capture unless you are comfortable saving conversation text, do not store credentials or secrets in this KB, and be cautious with shared mode until access controls, redaction, retention, and deletion controls are explicit.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (18)

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The capture hook is presented as deciding what is worth remembering, but its keyword rules explicitly prioritize secrets such as API keys, tokens, and passwords for storage. In a knowledge-base skill, automatically persisting credentials creates a direct confidentiality risk because sensitive data may be written to disk and later retrieved, exposed, or mishandled by other components.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The search and retrieve paths accept a --level parameter and the schema includes an access_level field, but neither function applies any access-control filter based on the caller's requested level. That means users can retrieve records regardless of their intended sensitivity tier, which defeats the apparent authorization model and can expose restricted knowledge entries.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are broad enough to overlap with ordinary user conversation, which can cause unintended activation of storage or retrieval behavior. In this skill, accidental activation is more dangerous because the same design also includes automatic recall/capture hooks and persistent storage, so a normal chat message could unexpectedly influence memory operations.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The plan explicitly describes automatic capture of user preferences, configuration, and important context after every turn without a clear user-facing consent, notice, or sensitivity filter. That creates a real privacy and data-minimization risk because sensitive user-provided information may be persistently stored without the user's awareness, then later recalled into other contexts.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The shared KB mode allows multiple agents to read and write the same knowledge base, but the document does not define access controls, isolation boundaries, or explicit warnings about cross-agent data exposure. In practice this can leak private memory, user preferences, and operational context across agents, and also enables one agent to poison another agent's retrieved context.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases are broad and include common conversational terms such as '知识库', 'KB', '记得这个', and '记忆', which can cause the skill to activate in ordinary conversation without clear user intent. In this skill, accidental activation is more dangerous because the skill supports automatic recall before a session and automatic capture after a turn, increasing the chance of unintended data retrieval or storage.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill documents automatic retrieval in a before_agent_start hook and automatic storage in an after_turn hook, but does not warn users that conversation content may be processed and persisted automatically. This creates a meaningful privacy and data-governance risk because sensitive information may be stored or surfaced without informed consent, especially given support for shared knowledge-base modes across agents.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The spec explicitly designs an automatic after_turn capture flow that extracts and stores user preferences, decisions, and important context from conversations. Without an explicit consent mechanism, privacy notice, data minimization policy, or exclusion of sensitive content, this creates a real risk of collecting and retaining secrets or personal data that users did not intend to persist.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The before_agent_start hook is specified to automatically read from the knowledge base and inject retrieved content into agent context before each conversation. If users are not clearly warned that prior stored data will be surfaced into future prompts, private or sensitive information can be unexpectedly exposed to the model or influence responses in ways the user does not anticipate.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documented internal `kb recall` and `kb capture` hook interfaces automatically process conversation context and full turn content, but the spec provides no notice, consent model, minimization guidance, or retention controls. In an agent skill, this can lead to silent collection and reuse of sensitive prompts, secrets, or personal data, especially because the interfaces are intended to run automatically via hooks rather than explicit user actions.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The `kb config mode shared` feature is exposed as a simple mode switch, but the API spec does not warn that moving from private to shared mode can broaden access to stored knowledge. That omission increases the risk of accidental data exposure when operators assume all stored memory remains local or private.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The hook automatically persists conversation content to the knowledge base when the capture heuristic returns true, with no visible consent, notice, redaction, or sensitivity filtering in this script. Because both user and agent text are stored, secrets, personal data, internal prompts, and other sensitive session content can be retained unexpectedly and exposed later through recall or database access.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The code assigns a very high capture score when the turn contains terms like API, key, token, or password, causing secret-bearing content to be classified as worth storing without warning or consent. This increases the likelihood of credential retention in the local database, which can lead to accidental disclosure, later prompt leakage, or compromise if the database is accessed by unauthorized parties.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The test invokes `capture` with a credential-like string (`api_key=12345`) and immediately echoes the raw result, which may preserve or display sensitive-looking material in logs, CI output, shell history, or debugging artifacts. Even though this is test code using a dummy value, the pattern normalizes unsafe handling of secrets and can lead to accidental disclosure if copied with real credentials or if the capture path stores secrets without redaction.

Ssd 3

Medium

Confidence: 95% confidence
Finding: Storing plain-language summaries of user preferences, configuration, and important conversation context can easily capture secrets or sensitive personal data embedded in normal dialogue. Because the skill is designed to persist and later recall this material, the leak risk is amplified: sensitive data may be retained longer than intended and surfaced in unrelated future interactions or to other agents if shared mode is enabled.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The design retains natural-language summaries of user preferences and important context from routine interactions, which increases the chance that credentials, personal data, business-sensitive details, or other confidential information are stored long-term. In shared-KB mode, the danger is elevated because retained content may become accessible across multiple agents, broadening exposure beyond the original conversation.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The `kb capture --turn` interface explicitly supports automatic capture of full conversation turns for memory decisions, which creates a clear risk of retaining credentials, personal data, proprietary prompts, or other sensitive natural-language content. Because it is designed for `after_turn` automation, the danger is amplified by silent background operation and the likelihood of collecting more data than necessary.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The script stores the full combined user and agent turn as persistent content based on a generic capture decision, rather than a narrowly scoped allowlist of safe fields. In a knowledge-base skill, this context makes the issue more dangerous because the whole purpose is later retrieval, increasing the chance that sensitive prior conversation data is resurfaced into future sessions or exposed to anyone with KB access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal