Security audit

Retrospect

Security checks across malware telemetry and agentic risk

Overview

This retrospective skill is useful in concept, but it can read broad local AI conversation logs and save sensitive feedback files beyond what a user may expect from a simple session review.

Install only if you are comfortable with the skill reading local AI assistant session logs and creating feedback files in your project. Before running it, ask the agent to confirm exactly which session files will be included, restrict analysis to the current project or a specific session, redact secrets, and delete the temporary transcript and feedback files when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The manifest implies reviewing a current or past session, but the actual instructions default to analyzing all conversation sessions in the current project. This is a scope expansion vulnerability because a natural-language trigger like 'review this session' could cause collection of far more history than the user intended, increasing privacy risk and violating least surprise.

Description-Behavior Mismatch

Low

Confidence: 83% confidence
Finding: The skill claims to generate feedback, but it persists the results as files in the project root rather than returning them ephemerally. This can create unintended data retention, clutter repositories, and leak sensitive interpersonal or operational commentary through commits, backups, or shared workspaces.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The instructions direct the agent to write critique documents into the project root, even though that persistence is not clearly necessary for the stated retrospective purpose. Writing sensitive feedback into a project directory can cause accidental inclusion in version control, exposure to collaborators, and lasting storage of potentially confidential session content or behavioral assessments.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: In project-wide mode, the script enumerates and reads session logs from multiple assistant-specific directories under the user's home directory, including global Codex and OpenCode session stores that are not filtered to the requested project. Because session logs can contain prompts, secrets, proprietary code snippets, and system/tool outputs, this behavior can unintentionally aggregate and expose unrelated conversations far beyond the user-specified scope.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The activation conditions are very broad, covering many generic phrases about review, reflection, or feedback. Broad triggers increase the chance of accidental invocation of a high-scope skill that reads historical transcripts and writes files, causing unintended data access and side effects without sufficiently informed user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description omits two material behaviors: it analyzes all project conversation sessions and writes feedback files to the project root. That lack of disclosure undermines informed consent and makes the skill more dangerous because users may unknowingly authorize broad retrospective data collection and persistent storage of sensitive analysis.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal