Memory Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This memory skill is broadly purpose-aligned, but it installs persistent automation that can sync, index, analyze, and push sensitive memory data without enough up-front consent or scoping.

Install only if you are comfortable with a long-running memory system. Before use, review and disable the cron job, Syncthing service, Git remote pushes, hooks, proactive notifications, and media processing unless you explicitly want them; also check what MEMORY.md and memory/ contain before any sync or push runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (35)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The script is presented as an installer that checks dependencies, but it also makes persistent host changes by enabling a system service, copying hooks, and installing a recurring cron job. Those actions are not inherently malicious, but they expand the script from setup into long-lived system modification without clear up-front disclosure or consent, which is risky for users evaluating what the installer will do.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The workflow defines active delivery channels including inline pushes and notifications, turning a memory retrieval feature into a proactive system that can surface stored content without an explicit user request. In a memory skill, this increases the risk of privacy leakage, accidental disclosure of sensitive memory snippets, and user manipulation through unsolicited context injection.

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: The configuration says feedback-learning is initially disabled in feature flags, but the top-level feedback-loop is enabled, creating a policy/implementation mismatch. This can lead to unexpected collection and processing of user interaction signals even when operators believe learning is off, which is a security and privacy control failure.

Intent-Code Divergence

Low

Confidence: 81% confidence
Finding: Although the action claims to recommend only decision history, it scans the entire MEMORY.md and returns surrounding context for any matching line. That broad file-level access can expose unrelated sensitive notes adjacent to matched keywords, especially because the surrounding lines are included verbatim in previews.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The README advertises automated synchronization and multimodal processing features but does not warn users that these capabilities may ingest, transmit, or persist sensitive local data such as documents, images, or audio. In a memory-oriented skill, this omission is security-relevant because users may enable the feature without understanding the privacy and data-handling consequences.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README promotes a 'self-evolution' capability without clarifying whether it changes prompts, configuration, stored memory, scheduled jobs, or other system state. Describing self-modifying or system-affecting automation without warnings increases the risk that users run it with elevated trust and insufficient oversight.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly describes pre/post-session hooks that pull, extract, index, and synchronize user memory across sessions and devices, but it does not present a clear, prominent warning or consent boundary for this automatic collection and sharing. This is dangerous because users may unknowingly have sensitive conversation content persistently stored, reprocessed, and propagated to other systems, increasing privacy exposure and accidental data leakage risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation promotes image and audio processing that converts user files into text and embeddings and adds them to a searchable index, but it omits a clear privacy warning about how uploaded media is transformed and retained. This is risky because screenshots, recordings, and other media often contain secrets, personal data, or confidential business information that may become searchable and persist beyond the user's expectations.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The installer enables and starts the syncthing@claw service with sudo, causing an immediate and persistent system-level change. Doing this without an explicit warning or confirmation can surprise users into granting elevated privileges and starting network-capable software they did not intend to run continuously.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script silently modifies the user's crontab to run auto-commit-memory.sh every 30 minutes, creating background persistence. A recurring task can continuously execute code, exfiltrate data, or mutate repositories over time, so installing it without explicit consent is unsafe even if the underlying purpose is legitimate.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script automatically commits and may push local memory contents to a remote without any interactive confirmation or visibility at the point of transmission. In a memory/workspace context, those files may contain sensitive notes, prompts, secrets, or operational state, so silent exfiltration to `origin` can cause confidentiality loss if the remote is misconfigured, shared, or untrusted.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code falls back to `SentenceTransformer(self.model_name)` when no local model is present, which can trigger implicit network access to download model artifacts. In a security-sensitive skill, undisclosed outbound connections can leak environment metadata, break offline assumptions, and introduce supply-chain risk through unpinned remote model retrieval.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script sends memory content to an external Ollama process for analysis without clear consent, warning, or data-classification controls. Even if Ollama is typically local, this crosses a trust boundary and may expose sensitive personal or operational data to model logs, plugins, remote backends, or other components outside the memory store.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code persistently stores full audio transcripts and embeddings to JSONL files under the user's workspace without any explicit warning, consent prompt, retention limit, or redaction step. Spoken audio often contains sensitive personal, business, or authentication information, so silent retention increases the risk of privacy exposure if local files are accessed by other tools, users, or malware.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The archive routine automatically deletes entries from the active emotion index and writes archival records without any confirmation, approval workflow, or rollback protection. In this skill context, the code manages user memory/state, so mistaken thresholds, corrupted metadata, or unintended execution can silently cause integrity loss and operational data disappearance.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The keyword triggers are broad enough to activate on ordinary conversation terms such as 项目, 配置, 问题, 用户, and 为什么, causing frequent unsolicited retrieval of stored memory. In this skill's context, over-triggering is dangerous because it can unnecessarily expose historical context, confidential project data, or prior user content in response to casual discussion.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The scenario rules rely on vague natural-language criteria like 'contains code block' or 'asks code-related questions' without precise boundaries, making activation unpredictable and easy to trigger accidentally. Because activated actions can inspect repository state and retrieve memory content, ambiguous detection expands access to contextual data beyond what the user clearly intended.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill design describes automatically capturing conversation content, converting it into persistent memory, and reusing it across future sessions and devices. In context, this is more dangerous because the same architecture also includes automated indexing, recommendation, and synchronization, which amplifies the blast radius of any sensitive content captured without clear consent or scoping.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Memory Orchestrator 依赖 # 核心库 faiss-cpu>=1.7.4 sentence-transformers>=2.2.2 torch>=2.0.0 transformers>=4.30.0
Confidence: 96% confidence
Finding: faiss-cpu>=1.7.4

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Memory Orchestrator 依赖 # 核心库 faiss-cpu>=1.7.4 sentence-transformers>=2.2.2 torch>=2.0.0 transformers>=4.30.0
Confidence: 96% confidence
Finding: sentence-transformers>=2.2.2

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 核心库 faiss-cpu>=1.7.4 sentence-transformers>=2.2.2 torch>=2.0.0 transformers>=4.30.0 # 多模态
Confidence: 97% confidence
Finding: torch>=2.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: faiss-cpu>=1.7.4 sentence-transformers>=2.2.2 torch>=2.0.0 transformers>=4.30.0 # 多模态 clip @ git+https://github.com/openai/CLIP.git
Confidence: 97% confidence
Finding: transformers>=4.30.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 多模态 clip @ git+https://github.com/openai/CLIP.git whisper>=1.1.10 # 知识图谱 networkx>=3.1
Confidence: 94% confidence
Finding: whisper>=1.1.10

Unpinned Dependencies

Low

Category: Supply Chain
Content: whisper>=1.1.10 # 知识图谱 networkx>=3.1 pyvis>=0.3.2 # 情感分析
Confidence: 94% confidence
Finding: networkx>=3.1

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 知识图谱 networkx>=3.1 pyvis>=0.3.2 # 情感分析 torch>=2.0.0
Confidence: 94% confidence
Finding: pyvis>=0.3.2

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal