Security audit

Agentprizm Memory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent hosted memory skill with sensitive but disclosed persistence, and the scanner’s strongest credential concern appears to be an example placeholder rather than a real bundled secret.

Install only if you are comfortable sending selected durable memories to AgentPrizm. Keep the default memory_* tool filter, use separate containers for separate clients or projects, avoid secrets and regulated/confidential data unless explicitly approved, and periodically review or forget stored memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The README materially broadens the advertised capability from a memory skill to also enabling 14 remote `skill_*` marketplace/management tools, including install, publish, update, and unpublish operations. In a security-sensitive agent context, documenting how to expose unrelated higher-privilege tool surfaces increases attack surface and can lead users to grant capabilities beyond what the skill needs, raising the risk of supply-chain abuse or unintended remote actions.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README explains connecting to a third-party remote MCP server with the user's bearer API key and emphasizes persistent cross-session memory, but it does not clearly disclose that recalled/stored memory contents may be transmitted to and processed by an external service. Because this skill handles durable facts, preferences, contacts, and lessons, missing privacy and data-handling warnings can cause users to expose sensitive information without informed consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This skill explicitly promotes persistent cross-session storage of user and project information and supports ingesting arbitrary text and URLs into that memory, but it does not present a clear privacy warning, consent requirement, or data-handling guidance beyond "Never store secrets." That creates a real risk that users or agents will store sensitive personal, proprietary, or regulated data in a third-party memory service without appropriate notice, minimization, or approval.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The configuration embeds a bearer token directly in a visible manifest, which risks credential leakage through source control, package distribution, logs, screenshots, or downstream reuse. Anyone obtaining this token could potentially access the AgentPrizm MCP endpoint as this agent, including reading or writing persistent memory depending on server-side permissions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: README.md:31