Multi-Agent Memory Optimizer

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent memory-management tool, but it has real review concerns around private-memory isolation, path scoping, and upload confirmation defaults.

Install only if you are comfortable with agents in the same workspace being able to access each other's private memory by choosing another agent ID. Before use, change upload.require_upload_confirm to true, use simple safe agent IDs and titles, avoid running test-workflow with untrusted values, and review summaries manually before publishing them to the public memory area.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: # 1. 初始化 print("【1】初始化空间...") os.system(f'./memory_optimizer.py init --agent {agent_id}') # 2. 生成中期总结（使用模拟数据） print("\n【2】生成中期总结...")
Confidence: 94% confidence
Finding: os.system(f'./memory_optimizer.py init --agent {agent_id}')

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The documented purpose emphasizes memory management and knowledge sharing, but the described commands also include state-changing administrative actions such as config mutation, initialization of local directory structures, and cleanup/deletion of memory files. That mismatch is security-relevant because users may authorize the skill expecting passive memory features while it can also alter local state and potentially remove data.

Description-Behavior Mismatch

Low

Confidence: 93% confidence
Finding: The public search results return the full absolute filesystem path for each memory file. This leaks internal directory structure and usernames/home-directory layout, which exceeds what a retrieval API needs to expose and can aid follow-on attacks or unauthorized local file targeting.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The private search function accepts a caller-supplied agent_id and directly uses it to select which private directory to read, with no authentication or ownership check. In a multi-agent memory system, this enables one agent or caller to enumerate and read another agent's private memory, breaking the core privacy boundary of the skill.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: This finding points to the same risky behavior: the workflow test command invokes a shell despite being a local memory-management utility. The unnecessary shell capability expands the attack surface and, combined with unsanitized user input, enables command injection or unexpected command behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code persists generated summaries to disk automatically under a workspace path derived from configuration and agent-controlled identifiers, without any consent gate, disclosure, or apparent data classification checks. In a memory-management skill handling potentially sensitive multi-agent knowledge, this can expose private conversation content, create unintended retention of secrets, and broaden the local attack surface if other users, agents, or processes can read the saved files.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal