Back to skill

Security audit

Document Learning

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate document-learning helper, but it intentionally saves document summaries and progress for future use.

Install only if you want document-derived notes and progress to persist locally. Avoid using it on confidential or personal documents unless you are comfortable with summaries, paths, and reading history being saved in MEMORY.md, daily notes, and progress JSON files; review or delete those files when needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises file read/write behavior, including writing progress and learned content to local files, but does not declare permissions. Undeclared filesystem access weakens user and platform visibility into what the skill can persist or modify, which is especially relevant because it handles arbitrary user-supplied documents and writes derived content to memory stores.

Tp4

High
Category
MCP Tool Poisoning
Confidence
81% confidence
Finding
The documented purpose emphasizes document learning and progress tracking, but the analyzed behavior apparently includes import/export to arbitrary JSON files, resetting progress, and multi-document context switching beyond the declared scope. Behavior mismatches are risky because users may authorize a benign-seeming skill without realizing it can manipulate additional files or states, increasing the chance of unintended data exposure or tampering.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that learned knowledge is automatically stored in MEMORY.md and dated notes, but it does not clearly warn that document-derived content may be persisted beyond the current session. If users provide confidential manuals, internal documents, or personal files, sensitive content could be retained locally and later surfaced unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow says progress is saved automatically and key points are extracted to memory files, but it omits an explicit privacy warning about persistent retention. Automatic saving without a clear warning can cause users to disclose sensitive document content into shared or long-lived storage unintentionally.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The feature list names MEMORY.md and dated memory files as outputs but does not caution that these files may retain summaries or excerpts from user documents. Naming concrete storage locations without a data-retention warning increases the chance that sensitive information will be written and later accessed by other workflows or users.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example command phrases are broad enough to overlap with ordinary user conversation, which can cause unintended invocation or context switching during unrelated interactions. In a skill that persists learning state across sessions and documents, ambiguous triggers increase the chance of acting on the wrong document or exposing prior learned content unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide states that summaries, progress, and learned material are saved to memory, but it does not clearly warn users that document-derived content and learning history will be stored persistently. For a document-learning skill, this can lead users to submit sensitive manuals, specifications, or proprietary text without informed consent about retention and later retrieval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Telling users to delete the progress file as a reset mechanism encourages destructive state changes without warning that the operation may permanently erase bookmarks and learning history. This is primarily an integrity and recoverability issue: users may lose tracked progress accidentally and be unable to restore it.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the system to persist learned document content in shared memory stores for later retrieval. Persisting and resurfacing user-provided document content across sessions creates a real confidentiality risk, because sensitive material may be disclosed in future queries outside the original context.

Ssd 3

Medium
Confidence
94% confidence
Finding
The workflow says all learned content accumulates in memory and is searchable later, encouraging broad, indefinite retention of document contents. Searchable retention magnifies the exposure of secrets, proprietary information, or personal data by making later retrieval easier and less context-bound.

Ssd 3

Medium
Confidence
91% confidence
Finding
The examples normalize saving summaries after every session and building a searchable knowledge base from user documents, which operationalizes repeated persistence of document content. This pattern increases the likelihood of long-term leakage of sensitive text because later prompts can retrieve information extracted from prior private documents.

Ssd 3

Medium
Confidence
88% confidence
Finding
The examples normalize broad status and knowledge retrieval across all previously learned documents without discussing scope restrictions, sensitivity, or access controls. In this skill's context, where multiple documents and long-term memory are retained, this can expose confidential information from unrelated or older documents through overly broad queries.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.