Skill Trust Decision
memory-compactor
Skill declares memory file manipulation and scheduled execution but provides no implementation code to audit, creating a doc-to-code verification gap.
Most direct threat evidence
01
User installs skill trusting SKILL.md description Entry · SKILL.md
02
AI agent invokes skill to compress memory files reconnaissance · SKILL.md
03
Skill accesses memory files containing potential sensitive data Escalation · SKILL.md
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 0 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
User installs skill trusting SKILL.md description
Entry · SKILL.md:1
02
AI agent invokes skill to compress memory files
reconnaissance · SKILL.md:12
03
Skill accesses memory files containing potential sensitive data
Escalation · SKILL.md:15
04
Without code audit, actual behavior unverifiable - could exfiltrate or modify beyond declared scope
Impact · SKILL.md:22
What drove the risk score up
No implementation code +20
SKILL.md describes filesystem operations but has zero scripts to audit
Undeclared scheduled execution +15
Claims '定时任务自动执行' (scheduled auto-execution) without explaining mechanism
Memory file access unverifiable +10
Skill accesses memory files that may contain sensitive data but no code to audit behavior
No allowed-tools declaration +5
Missing explicit declaration of required filesystem permissions
Most important evidence
Medium Doc Mismatch
Documentation-only skill with unverifiable behavior
The skill describes filesystem operations (compress, clean, write) on memory files but provides zero implementation code. Cannot verify if declared behavior matches actual execution.
SKILL.md:1 Require submission of implementation scripts (Python/Bash) that can be audited for actual file operations, network access, and data handling.
Medium Priv Escalation
Undeclared scheduled execution mechanism
SKILL.md states '定时任务自动执行: 每周日22:00' but does not explain how scheduled execution is implemented. Could involve cron jobs, systemd timers, or hidden agent hooks.
SKILL.md:22 Specify the exact mechanism for scheduled execution. If using cron, declare it in documentation.
Low Sensitive Access
Memory file access without visibility into data handling
Skill operates on memory files that may contain sensitive user data, preferences, or potentially credentials. No code to verify data remains local and is not exfiltrated.
SKILL.md:12 Add explicit statement that memory contents are processed locally only and not transmitted externally.
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
SKILL.md describes '压缩冗余内容,清理过期信息' (compress redundant content, clean expired info) but provides no implementation Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 48 lines
Markdown 1 files · 48 lines
Files of concern · 1
SKILL.md Documentation-only skill with unverifiable behavior · Undeclared scheduled execution mechanism · Memory file access without visibility into data handling
Security positives
No network requests described in documentation
No credential harvesting mentioned
No base64, eval, or obfuscation patterns visible in docs
Core concept (memory compression) is functionally legitimate