Back to skill

Security audit

SwarmVault

Security checks across malware telemetry and agentic risk

Overview

SwarmVault is a disclosed local knowledge-vault skill, but it can persist, index, export, and optionally provider-process sensitive user content when used.

Install this only if you want a durable local vault that copies and indexes selected files, repos, transcripts, emails, calendars, chats, and exports on disk. Review provider settings before ingesting confidential material, use SWARMVAULT_OUT for isolation when needed, inspect generated exports before sharing, and enable agent hooks or user-scope installs only when you accept background graph refreshes and project configuration edits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The guide states that installation can edit host-project files like .gitignore, tsconfig.json, and agent hook settings, which extends the skill's reach from vault artifact generation into modifying unrelated repository and agent execution behavior. In a local developer environment, this can change build, lint, and hook behavior in ways users may not fully expect, increasing supply-chain and persistence risk if such modifications are broadly applied.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README strongly encourages ingesting a wide range of potentially sensitive materials—emails, calendars, transcripts, exports, datasets, and code—and emphasizes that these are copied into durable on-disk artifacts, but it does not present an upfront privacy/data-handling warning near the introduction or first-run flow. In a local-first knowledge-vault tool, this omission is risky because users may unintentionally import confidential personal or enterprise data and persist it across raw/, wiki/, state/, agent/, and export directories without realizing the retention scope.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that non-code text, images, audio, and other content may be processed by configured model providers, including remote vendors, but it does not give a clear privacy warning at the point where provider-backed processing is described. This creates a real risk that users assume all processing is purely local and inadvertently send confidential documents, screenshots, or recordings to third-party APIs.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description is extremely broad and covers many generic inputs such as files, URLs, code, notes, and datasets, which increases the chance the agent will invoke this skill in situations beyond its intended scope. Over-broad activation can cause unnecessary tool use, unreviewed ingestion of sensitive local content, or inappropriate persistence of user data to disk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation guidance repeatedly uses subjective phrases like 'when the user wants' without clear boundaries or negative conditions, making the skill easy to activate opportunistically. In a skill that performs persistent local ingestion, indexing, export, and agent integration, ambiguous triggers increase the risk of collecting or transforming data the user did not clearly intend to place into a durable vault.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The phrase "shortest path from install to a working vault" is broad enough to be invoked during generic onboarding or setup requests, increasing the chance the skill activates without the user clearly intending durable file writes or repository analysis. In this skill's context, that matters because many listed commands create artifacts on disk, inspect local content, and may pull remote repositories, so over-broad activation can lead to unnecessary side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quickstart presents numerous commands that write persistent artifacts locally and includes remote-repository operations like `clone` and `source add` without any warning, confirmation guidance, or safe-default framing. In this skill's context, omission is risky because users may treat quickstart commands as harmless examples, yet they can modify the filesystem, create project artifacts, and pull untrusted remote content into local workspaces.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly states that chat transcripts are persisted to disk, but it does not warn users that potentially sensitive conversational content will be retained locally. In a local-first knowledge vault, users may assume privacy from cloud exposure and overlook that secrets, personal data, or confidential work discussions are still being durably stored and later discoverable.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Documenting structured resumable session state without clearly warning that conversational data is saved locally can mislead users about the persistence and inspectability of their interactions. Because resumable state often includes prompts, responses, metadata, and workflow context, it can expose sensitive material to other local users, backups, sync tools, or later processing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation advertises sharing and posting commands like `graph share --post` and bundle/export operations without warning that generated artifacts may contain sensitive notes, source code relationships, or local knowledge-vault data. In a local-first knowledge tool that ingests transcripts, documents, repositories, and context packs, omission of a disclosure warning increases the chance of accidental data exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The hook installation text describes automatic session hooks and background `graph update --file <path>` behavior after Edit/Write, but does not clearly foreground that installing hooks changes future agent behavior and may automatically modify project artifacts. In an agent-integrated tool, understated automatic modification behavior can lead to unintended file changes, repository churn, or execution in sensitive workspaces.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.