Remember Memory

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a third-party persistent memory service, but it has enough under-disclosed data flow and deletion-risk issues that users should review it carefully before installing.

Install only if you trust the Xiaobenyang backend with the memories you store. Do not store secrets, tokens, private personal data, or business-confidential content. Treat delete actions carefully, especially category='*' and partial-content deletes, because the skill does not require an extra confirmation step or show a recovery path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill is presented as a categorized memory service, but the workflow and project structure reference an API-key-gated external service and even inconsistent school-search examples. This mismatch is dangerous because it obscures the true behavior of the skill, making it harder for users and reviewers to assess where data goes, what third parties are involved, and whether sensitive memory content is being exfiltrated to an unrelated external API.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The documentation claims the code only calls APIs, but the exposed tools perform persistent creation and deletion of memories, which are side-effecting operations. Downplaying these side effects can cause the model or user to invoke state-changing actions without appreciating that data will be stored or erased, especially across chat sessions.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The Settings docstring identifies an unrelated '高考' skill, while the manifest claims this is a classified persistent memory service. This mismatch is dangerous because it suggests code reuse or hidden repurposing, making it harder for reviewers and users to understand what external service and data flows are actually being configured.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file configures an external API endpoint, MCP identifier, and API-key persistence for a service that does not match the advertised memory-service functionality. In the context of an agent skill, this discrepancy is especially risky because users may grant secrets or data access under false assumptions, enabling unintended exfiltration to an unrelated remote service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents category-wide and wildcard deletion capabilities, including removing all memories, without requiring an explicit warning or confirmation step. This makes accidental or prompt-induced destructive actions far more likely, potentially causing irreversible loss of user data across local or global memory scopes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code persists the supplied API key into a local .env file without any user-facing warning, consent flow, or storage-security controls. This creates a secret-handling risk because the credential may remain on disk longer than expected, be committed accidentally, or be read by other local processes or users.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill sends user-provided memory content to an external API for persistent storage, but the interface shown here provides no explicit warning, consent mechanism, or sensitivity guidance. In a memory service, users may store secrets, personal data, or other sensitive content, so silent network transmission and persistence increases privacy and data-handling risk.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The deletion function supports wildcard category removal using '*' and directly forwards the request to the API without any confirmation, safeguard, or warning. This creates a real risk of accidental or prompt-induced mass deletion of persistent memory, especially because the skill's purpose is long-lived storage across sessions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The specific-memory deletion API uses partial matching on memory_content, which can remove unintended entries when the supplied text is ambiguous or overly broad. Without warning or precise identifiers, users or downstream agents may accidentally delete more data than intended from persistent memory.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal