memory-guardian-agnet

Security checks across malware telemetry and agentic risk

Overview

This local memory-management skill is coherent and not visibly exfiltrating data, but it can automatically rewrite, archive, or delete workspace memory with weak confirmation and scoping controls.

Install only for a workspace where automatic memory maintenance is acceptable. Use explicit --workspace paths, run dry-run modes first, avoid scheduling write-enabled cron until you have backups, and treat access_log.jsonl/meta.json as sensitive local data. Review or patch the case retirement checks and the --skip-security flag before trusting it for important agent memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (27)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises substantial capabilities—environment access, file reads/writes, and shell-based CLI fallback—but does not declare permissions or boundaries. In an agent setting, this creates hidden authority: the agent may invoke filesystem or shell operations without an explicit trust/consent model, increasing the chance of unsafe writes, workspace tampering, or execution of unintended commands.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented purpose frames the skill as memory lifecycle management, but the described/observed behavior extends into telemetry ingestion, rule extraction/enforcement, migrations, snapshot retention, routing, and confirmation workflows. This mismatch is dangerous because agents and operators may grant trust based on the narrow description while the skill actually processes more data, persists more state, and performs more powerful actions than expected.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: `resolve_workspace` accepts caller-supplied `workspace` paths, validates only with `realpath`, and then performs reads/writes under that path, including `os.makedirs(ws, exist_ok=True)`. In an MCP context this expands the tool from managing the agent's intended memory workspace to potentially modifying arbitrary filesystem locations accessible to the process, which is a real scope-break and can be abused for unintended file creation or tampering.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The implementation of archive_case() and delete_case() does not enforce the documented preconditions that a case must be frozen and reviewed first. Any caller with access to this script can directly archive or soft-delete arbitrary cases by ID, bypassing the intended review workflow and weakening integrity controls over memory/case lifecycle management.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The top-level design documentation promises human review actions on frozen cases, but the exposed CLI directly performs delete operations with no technical enforcement of that review gate. In a memory-management skill, this mismatch is dangerous because operators may trust the documented safeguards while the code allows destructive state changes immediately.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The quality gate module is supposed to evaluate and control writes, but it also directly replays ingest, modify, and delete operations against meta.json. That coupling creates an overly privileged control component: if queue entries or upstream write_data are malformed or attacker-influenced, this module can mutate arbitrary memory records and add arbitrary fields without strong validation or action scoping.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger set includes generic tool names and common filenames such as meta.json, MEMORY.md, and memory-guardian, which can cause accidental activation in unrelated contexts. In an autonomous agent workflow, unintended invocation can lead to unnecessary maintenance runs, file modifications, compaction, or state changes in the wrong workspace simply because a common token appeared.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The proposal describes an irreversible cleanup step that removes content from MEMORY.md after bootstrap, with only a backup file as a safeguard and no explicit requirement for user confirmation, dry-run mode, or prominent warning at the point of use. In an agent skill that manages long-lived workspace memory, this creates a real risk of unintended data loss or silent modification of user-maintained content, especially if extraction or section-matching is imperfect.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The specification documents an irreversible retirement/archive path from reviewing without requiring an explicit user confirmation, warning, or undo window. In a memory-management skill that governs case lifecycle and archival, this creates a real risk of unintended permanent data loss or silent state changes if an agent or automation invokes the action incorrectly.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documented MAX_FROZEN behavior automatically archives the oldest frozen case when the cap is exceeded, but it does not describe any prior warning, approval, or recovery mechanism. Because this skill manages persistent workspace memory, automatic archival can silently remove important review candidates or evidence, making operational mistakes and integrity loss more likely.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This documentation describes that setting `dry_run=false` enables writes and that oversized daily notes may be rotated and replaced, but it does not clearly foreground that this can modify or replace workspace files automatically. In a memory-management skill whose normal function includes maintenance and archival operations, ambiguous safety messaging increases the chance of unintended destructive actions by users or higher-level agents invoking the tool without realizing it is no longer analysis-only.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document introduces continuous access logging and later user-visible reporting without any explicit consent, notice, or minimization controls. Even though this appears intended for memory quality/decay tuning, it creates a privacy-relevant telemetry channel that records user interaction patterns and could capture sensitive context indirectly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: In --auto mode the script deletes matched sections from daily notes, rewrites files in place, rotates oversized notes into summaries, and can rewrite MEMORY.md, but it provides no interactive confirmation or strong safeguard beyond the command-line flag. In an agent skill that manages persistent workspace memory, an unintended or overly broad invocation can silently destroy or substantially alter user data, especially because section matching is heuristic and the removal regex may delete more content than the operator expects.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script performs state-changing writes to meta.json and automatically marks memories as archived or deleted based on computed scores without any explicit confirmation, approval gate, or safety interlock beyond a dry-run flag. In the context of a memory lifecycle management skill, this is particularly risky because routine or scheduled execution can silently cause irreversible or hard-to-audit loss of agent memory, degrading system behavior or destroying evidence needed for review.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The bootstrap flow performs destructive workspace modifications: it writes many files, rewrites MEMORY.md, and only creates a backup immediately before overwriting, without an explicit preflight confirmation or safer dry-run-first behavior. In an agent skill context, this is more dangerous because an automated caller may trigger bootstrap on the wrong workspace and silently alter or reorganize user data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The ingest result prints the first 100 characters of the stored memory content directly to stdout. Because this tool manages agent memory and may ingest secrets, personal data, tokens, internal URLs, or incident notes, stdout exposure can leak sensitive data into terminal history, logs, orchestration traces, or CI job output without any redaction or explicit opt-in.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The design introduces persistent access_log.jsonl entries containing file names, timestamps, free-form context, tags, and periodic scanning of daily_notes to infer usage. This creates a durable behavioral and content-derived audit trail that can expose sensitive user material, work patterns, and inferred topics beyond what is necessary for memory decay, and the skill context increases risk because it operates directly on agent memory and notes.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The negative-feedback flow explicitly stores and forwards original content, corrected content, and diffs for owner adjudication, which can unnecessarily replicate and disseminate user-provided text. In a memory-management skill, this is a genuine data exposure risk because corrections may contain sensitive personal, proprietary, or confidential information, and forwarding multiplies the number of places that data is retained.

Ssd 3

Medium

Confidence: 97% confidence
Finding: Requiring a log entry after every memory read creates a persistent behavioral audit trail of which memories were accessed, when, and why. The free-form `context` field can easily accumulate sensitive user content, investigative topics, or workflow details, making the logging system itself a new sensitive datastore.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The cron template instructs the agent to announce internal maintenance details such as memory counts, gate state, archive/delete actions, and storage size. Broadcasting this operational metadata can expose the existence, scale, and lifecycle of stored user data to channels or viewers who do not need that level of detail.

Ssd 3

Medium

Confidence: 98% confidence
Finding: Mandating an append to `access_log.jsonl` after every `memory_get` with a human-written reason institutionalizes collection of sensitive interaction context at scale. Because the field is natural language and tied to specific files and timestamps, it can reveal user interests, cases, daily activity, and potentially confidential subject matter over time.

Unsafe Defaults

Medium

Category: Tool Misuse
Content: def run(content, importance, tags, meta_path, workspace=None, update_id=None, situation=None, judgment=None, consequence=None, action_conclusion=None, reversibility=None, boundary_words=None, alternatives=None, skip_security=False, provenance_source=None): """Main ingest logic — now delegated to the app/repo layers.""" from mg_app.ingest_service import IngestService from mg_repo.meta_json_repository import MetaJsonRepository
Confidence: 89% confidence
Finding: skip_security

Unsafe Defaults

Medium

Category: Tool Misuse
Content: reversibility=reversibility, boundary_words=boundary_words, alternatives=alternatives, skip_security=skip_security, provenance_source=provenance_source, )
Confidence: 88% confidence
Finding: skip_security

Unsafe Defaults

Medium

Category: Tool Misuse
Content: reversibility=reversibility, boundary_words=boundary_words, alternatives=alternatives, skip_security=skip_security, provenance_source=provenance_source, )
Confidence: 88% confidence
Finding: skip_security

Unsafe Defaults

Medium

Category: Tool Misuse
Content: help="可逆性: 0(零成本) 1(低成本) 2(高成本) 3(不可逆)") p.add_argument("--boundary-words", default=None, help="Comma-separated boundary/anchor words") p.add_argument("--alternatives", default=None, help="Comma-separated alternatives considered") p.add_argument("--skip-security", action="store_true", help="Skip security check") # v0.4.1: Provenance source p.add_argument("--provenance-source", choices=["human", "system", "external"], help="Provenance source for memory")
Confidence: 90% confidence
Finding: skip-security

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal