Back to skill

Security audit

御知库

Security checks across malware telemetry and agentic risk

Overview

This is a local personal knowledge-base skill that stores and searches user-added documents, with no evidence of hidden exfiltration or destructive behavior.

Install this only if you want a persistent local knowledge base. Do not add secrets or highly sensitive documents unless you are comfortable with their text being copied into ~/.yuzhi/index.db and potentially used in later answers. Prefer explicit search/add commands for sensitive work, and verify local PDF support because it depends on pdfplumber being available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes use of local storage, SQLite indexing, and CLI commands that imply file reads and shell-capable execution, but it declares no permissions or constraints. This creates a trust and containment gap: the agent may access local files or invoke commands without explicit user-visible authorization boundaries, increasing the risk of unintended data exposure from the knowledge-base paths under ~/.yuzhi/ or from user-supplied file paths.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The description says the skill triggers when the user asks knowledge-related questions, which is so broad that ordinary conversation may invoke it unintentionally. An overbroad trigger can cause unsolicited retrieval from the local knowledge base, potentially surfacing sensitive stored content when the user did not explicitly request a repository search.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The workflow states that when the user asks a question, the system automatically performs retrieval and prioritizes knowledge-base content in the answer, but it does not define activation constraints, sensitivity checks, or confirmation requirements. In context, this makes the skill more dangerous because the knowledge base is personal and may contain decisions, personnel data, and technical documents, so ambiguous auto-recall could leak private information into normal responses.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.