Back to skill

Security audit

Double-Check-It Skill (再想想技能1.0)

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it automatically saves and reuses conversation history in plain local files with limited user controls.

Install only if you intentionally want an always-on local memory system for the agent. Avoid using it around secrets, credentials, personal data, financial details, or confidential work unless you are comfortable with those details being stored in plain text, and regularly inspect or clear the memory directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to "actively remember every conversation" and record actions by default, but provides no consent flow, retention limits, redaction rules, or warning about privacy impact. This creates a broad data-retention mechanism that can capture sensitive user content, credentials, business data, or regulated information and persist it beyond the immediate task.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The idle reflection feature performs secondary processing on historical memories and writes derived lessons to persistent storage without user notice or permission. That expands the privacy risk because previously stored conversations are re-read and transformed into new artifacts, potentially propagating sensitive information into additional files.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill instructs automatic memory recording after every user interaction and completed action, with no scoping, consent gate, or exclusion for sensitive content. This creates a broad persistent logging channel that can capture secrets, personal data, or confidential task details far beyond what is necessary for task completion.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The idle reflection feature is triggered during heartbeat idle periods on a random schedule, which implies background processing without a clear user action or visibility. That can cause unintended access to previously stored conversations and generation of additional derived records, increasing privacy and data handling risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is designed around a long-term memory system that stores diaries, documents, and experience summaries, but it provides no user-facing disclosure, consent, or privacy safeguards. Persisting interaction-derived data in this way can accumulate sensitive personal, financial, or operational information and materially increases breach and misuse impact.

Missing User Warnings

High
Confidence
98% confidence
Finding
The auto-memory section explicitly says recording occurs after each interaction and action completion, again without warning the user that continuous logging is taking place. Continuous silent retention is dangerous because users may reasonably assume ephemeral processing while the system is instead creating permanent records.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes user-provided content to persistent storage under a fixed workspace path without any consent prompt, retention notice, or sensitivity filtering. In an agent environment, users may provide secrets, personal data, or sensitive task details, which can then remain on disk and be accessible to later processes or users with filesystem access.

Ssd 3

Medium
Confidence
97% confidence
Finding
The README directs the agent to remember and record every user conversation and important requirements in natural language, creating a clear risk of retaining sensitive user-provided data in logs or memory files. Because the retained content is semantically rich rather than narrowly structured, it may include confidential context that is later exposed, searched, or reused in unrelated tasks.

Ssd 3

Medium
Confidence
96% confidence
Finding
The auto-memory section requires recording after each user interaction and after completing actions, which strongly encourages blanket logging of all user-provided content. In practice this can capture sensitive prompts, operational details, or private data even when long-term storage is unnecessary for task completion.

Ssd 3

Medium
Confidence
90% confidence
Finding
The double-check workflow requires retrieving prior memories and comparing them to original requirements before every delivery, increasing the number of times stored user data is accessed and reused. Frequent retrieval raises the chance of accidental disclosure, over-retention, and cross-task contamination if the memory store contains sensitive or unrelated information.

Ssd 3

Medium
Confidence
95% confidence
Finding
The Chinese section reiterates that the agent should remember every conversation and write mistakes and lessons into persistent memory/experience stores, reinforcing unrestricted long-term retention of user-derived content. Repetition in multiple languages increases the likelihood the behavior is treated as mandatory and always-on, making the privacy issue more entrenched.

Ssd 3

Medium
Confidence
96% confidence
Finding
The Chinese auto-memory rules require recording after every interaction, including detailed records of user requirements and plans, which can preserve sensitive intent and context far beyond operational need. This broad capture makes the skill more dangerous because requirements often contain proprietary, personal, or security-relevant details.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instructions require routine long-term recording of ordinary and important interaction details in natural language, which creates a durable repository of potentially sensitive content. Natural-language notes are especially risky because they often contain contextual details that are harder to classify, sanitize, and protect than structured fields.

Ssd 3

Medium
Confidence
91% confidence
Finding
The review workflow directs the agent to retrieve historical memory and compare it with original user requests, increasing the chance that old sensitive data is re-exposed during unrelated tasks. Rehydrating prior context can leak confidential information into the current processing path or outputs, especially if memory retrieval is broad or poorly scoped.

Ssd 3

Medium
Confidence
91% confidence
Finding
The check workflow retrieves and displays previously stored diary content by grepping for the task description, which can surface sensitive historical user inputs in later sessions. Because the design intentionally stores and reuses natural-language requests, it creates a disclosure channel for private instructions, preferences, or secrets embedded in earlier records.

Ssd 3

Medium
Confidence
94% confidence
Finding
The reflection feature actively mines stored records for corrections, feedback, and preferences and consolidates them into a reusable summary file. This increases persistence and discoverability of user behavioral data and preferences, making accidental disclosure or unauthorized profiling more likely in a shared or agentic workspace.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.