Conversation Guard

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local conversation backup skill, but it needs review because it can automatically save full chats, including sensitive personal content and passwords, in plaintext files without strong controls.

Install only if you intentionally want continuous local transcript logging. Pin or verify the script before sourcing it, remove password/secret keywords from importance rules, assume saved files may contain private data, set restrictive file permissions, and periodically review or delete the memory and .guardian files when they are no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill does more than passive backup: it explicitly instructs the system to recover prior context into new sessions via `guardian_recover_context`. That creates cross-session persistence of prior conversation state, which can reintroduce sensitive data into future interactions without fresh user consent or clear scoping controls.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The header and usage imply a passive utility, but sourcing the file has side effects because `guardian_init` runs automatically and creates directories/files while updating session state. In a shell-sourced skill, hidden side effects on import are risky because users may expect inspection/loading only, not immediate persistence changes.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README instructs users to add automation that records every user message and assistant response after each interaction, but it does not require clear notice, consent, or selective filtering for sensitive content. Because the examples explicitly include emotional and personal exchanges, this creates a real privacy and data-retention risk rather than a purely theoretical one.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill directs automatic recording of every exchange, including emotional and personal content, but provides no explicit user notice, consent flow, retention period, or privacy boundary. This is dangerous because it silently persists sensitive conversational data that users may reasonably expect to remain ephemeral.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: `record_interaction` persistently writes full user and assistant messages to JSONL and Markdown files under the user's home directory without any consent, retention control, or sensitivity filtering. This can expose secrets, personal data, tokens, or proprietary prompts if the local machine, backups, or synced home directory are accessed by others.

Missing User Warnings

Low

Confidence: 96% confidence
Finding: The script calls `guardian_init` unconditionally when sourced, which immediately creates storage directories and may initialize a daily log file. In the context of a sourced shell skill, this is an unexpected persistence action and weakens user control over when conversation tracking begins.

Ssd 3

Medium

Confidence: 98% confidence
Finding: These instructions create automatic persistent logging of natural-language conversations, including both sides of the exchange, without meaningful minimization. In a conversational system, that can capture credentials, health details, personal relationships, and other sensitive material that users may not expect to be stored indefinitely.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The importance examples explicitly encourage storing emotional exchanges, personal preferences, and critical information, which are exactly the kinds of sensitive data that raise privacy and misuse concerns. Labeling such material as more important increases the chance it is retained longer, surfaced more often, or treated as especially valuable if the host is compromised.

Ssd 3

Medium

Confidence: 99% confidence
Finding: The custom flow guidance goes further by instructing semantic detection of emotional content and automatic elevation for logging, which amounts to profiling and targeted retention of sensitive material. This makes the skill more dangerous in context because it is not just passively storing what is given; it is actively identifying sensitive content for preservation.

Ssd 3

High

Confidence: 99% confidence
Finding: These instructions tell the agent to persist every user message and assistant response to local files after each response. Because the capture is broad and includes emotional/personal content, it creates a durable local archive of potentially sensitive data that could be exposed, mishandled, or reused outside the user's expectations.

Ssd 3

High

Confidence: 99% confidence
Finding: The custom importance rules explicitly elevate messages containing `密码`/`password`, which encourages preferential retention of credentials and other highly sensitive secrets. Prioritizing secret-bearing messages for storage materially increases the risk of credential exposure and misuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal