Security audit

contextloader

Security checks across malware telemetry and agentic risk

Overview

This skill is a documented Context Loader API helper with disclosed account-scoped API use and a user-requested rebuild operation, with no hidden code or install-time behavior found.

Install this only for a trusted Context Loader endpoint and an APP_USER_ID that is allowed to access the relevant business knowledge-network data. Keep SOUL.md entries accurate, review ambiguous knowledge-network choices, and treat rebuild requests as operational changes that may consume backend resources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The document for a 'Context Loader' skill includes a write-capable endpoint that creates knowledge-network build tasks, which goes beyond passive retrieval and can trigger backend state changes. This is dangerous because an agent following this guidance may perform unintended or costly operations under the guise of context loading, especially if user prompts can steer it toward task creation.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The file title and introduction frame the content as Context Loader API usage, but the documented interface set includes state-changing build operations. This mismatch can mislead downstream agents or operators into treating the skill as read-only, increasing the chance of unsafe invocation of a write endpoint without proper scrutiny.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The example explicitly recommends invoking `create_kn_index_build_job` to trigger a full rebuild of a knowledge network, which is a state-changing administrative action rather than context loading or read-only retrieval. In an agent skill framed as a context loader, documenting this as a normal recommended flow can lead downstream agents to perform destructive or costly operations without clear authorization boundaries, increasing the chance of misuse or privilege overreach.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill’s trigger conditions are broad and overlap with common knowledge-seeking requests, so the agent may invoke this skill in situations where it is not necessary. Because the skill reads workspace files such as SOUL.md and may make outbound API calls based on inferred context, an accidental trigger can expand data exposure and cause unintended network actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The build endpoint is documented without any warning that it can launch resource-intensive or system-changing operations. In an agent skill context, omission of such warnings increases the likelihood that an LLM agent will invoke the endpoint automatically, causing unintended workload, cost, or operational disruption.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal