Back to skill

Security audit

本地知识库

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local knowledge-base skill that stores, searches, deletes, and summarizes user-provided memory on the local machine, with privacy cautions but no evidence of exfiltration or hidden behavior.

Install only if you want persistent local memory for the agent. Do not store passwords, API keys, recovery codes, tokens, or highly sensitive personal data, and use precise save, search, and delete requests because stored entries may be resurfaced later or removed by direct matching.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill defines mandatory invocation for broad save/query/delete/statistics intents and also says to prioritize knowledge-base contents when answering, which can cause the agent to invoke this skill in situations beyond an explicitly scoped user request. Ambiguous boundaries increase the risk of unintended persistence, retrieval, or deletion of user data, especially when user messages merely resemble memory operations rather than clearly consenting to them.

Missing User Warnings

High
Confidence
95% confidence
Finding
The classification table explicitly treats “password” and “key” as storable important information, but the skill provides no warning, restriction, or refusal policy for secrets. This is dangerous because users may be encouraged to persist credentials or cryptographic material in a local SQLite store, creating a concentrated secret store that could be exposed through local compromise, backup leakage, or accidental retrieval in later conversations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase set includes very generic phrases such as “知识库中” and “我的知识库,” which are likely to appear in ordinary user conversation and can cause unintended skill activation. In a skill that stores, queries, deletes, and summarizes personal knowledge or preferences, accidental invocation increases the risk of privacy-impacting actions or disclosure of stored information without clear user intent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill stores arbitrary user-provided content, including data it explicitly classifies as passwords, keys, tokens, and secrets, into a plaintext local SQLite database with no consent prompt, minimization, or protection. In an agent environment, this can silently persist sensitive conversation content on disk, increasing exposure to local compromise, backup leakage, or unintended reuse in later prompts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.