Private Knowledge Base

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local PDF knowledge-base skill, but its ingest script has an unsafe fallback path and it stores extracted document text persistently.

Review or patch scripts/ingest.sh before using this with untrusted filenames or folders, especially on systems without pdftotext. Set KB_ROOT deliberately, assume extracted PDF text and source paths are stored locally in plaintext, and delete the knowledge-base directory when you no longer want the documents retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs ingestion, extraction, embedding generation, and storage of user-supplied PDFs and metadata, but does not warn that this creates persistent local copies and derived data. For a 'private' knowledge base, that omission can mislead users into providing sensitive documents without understanding retention, increasing privacy and data handling risk.

Session Persistence

Medium

Category: Rogue Agent
Content: When user provides new PDFs or papers: 1. Create document entry in `kb/index.json` 2. Extract text and metadata 3. Generate embeddings for semantic search 4. Store in `kb/docs/` with normalized name
Confidence: 88% confidence
Finding: Create document entry in `kb/index.json` 2. Extract text and metadata 3. Generate embeddings for semantic search 4. Store in `kb/docs/` with normalized name ### 2. Cross-Document Q&A When user asks

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal