Back to skill

Security audit

Snipara Mcp

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Snipara integration, but it gives agents broad remote memory, document upload/delete, shared-context, and swarm coordination abilities without strong point-of-use guardrails.

Install only if you are comfortable sending selected queries, session context, memories, summaries, and uploaded documents to Snipara. Use a scoped project/API key, do not store secrets or regulated data in memory or uploads, review/delete memories periodically, and be especially careful with sync_documents delete_missing, summary deletion, memory deletion, shared collection uploads, and swarm state changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module presents itself as a documentation-query server, but it also exposes broad write, deletion, memory, and multi-agent coordination capabilities. This mismatch increases the chance that a user or calling agent will grant trust or permissions under false assumptions, enabling unintended destructive or privacy-impacting actions through the same interface.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The memory features allow persistent storage, recall, listing, and deletion of user- or agent-supplied content via a remote API, which materially exceeds the apparent purpose of a documentation query tool. In an LLM-agent setting, this can silently accumulate sensitive preferences, facts, or conversation-derived data and later resurface it across sessions or scopes.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The swarm coordination features create, join, and manipulate shared multi-agent state and task queues that are unrelated to simple documentation retrieval. Such capabilities expand the attack surface substantially by enabling coordination, persistence, and resource control behaviors that a user may not expect from this skill.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises persistent memory and document upload/sync capabilities but does not clearly warn users that prompts, documents, team standards, and other project data may be transmitted to a remote service and stored there. In an MCP/agent context, this omission can lead operators to expose sensitive source code, internal docs, or personal data without informed consent, increasing privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill promotes persistent memory across sessions and provides examples of storing user preferences, but it does not warn agents to avoid sensitive personal, credential, or regulated data. In a tool that explicitly supports cross-session retention, omission of privacy boundaries materially increases the chance that an agent stores sensitive information in an external service without informed consent or minimization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The upload and sync sections instruct the agent/user to send document contents to Snipara, but they omit a clear warning that the content leaves the local environment and is transmitted to a third-party service. This can lead to inadvertent exfiltration of proprietary source, internal docs, or secrets through normal usage of the skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The shared document upload guidance describes publishing content into a shared collection without warning that the material becomes team-visible context. That omission increases the risk of oversharing confidential or access-restricted information to a broader audience than intended.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The upload_document and sync_documents tools perform remote create/update/delete operations against the Snipara service, but their exposed descriptions do not clearly warn users that invoking them will modify server-side state and that sync_documents can delete remote content when delete_missing is enabled. In an agent-tooling context, weak disclosure increases the risk of unintended destructive actions by agents or users who assume these are local or read-only documentation utilities.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The remember tool stores arbitrary content in persistent memory with scopes such as agent, project, team, and user, but the user-facing description does not clearly warn that submitted data may be retained across sessions and exposed within broader scopes. In practice, an agent may persist secrets, personal data, or sensitive context unintentionally, creating a confidentiality and data-retention risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The memory store/recall operations send user-provided content and derived preferences or facts to the remote service without a point-of-use warning or consent flow. Because these tools are designed for persistence and later retrieval, they can unintentionally exfiltrate sensitive conversational data beyond the immediate session.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The bulk sync feature supports remote deletion through the delete_missing option, but the interface does not provide a strong warning, confirmation, or safety interlock at the point of use. In agent-driven workflows, this can lead to accidental destructive operations against remote project documentation.

Ssd 3

Medium
Confidence
92% confidence
Finding
The workflow recommends using `rlm_remember` to store 'important info for future sessions' without limiting storage to non-sensitive data. Because the skill frames this as a default workflow step, agents may persist user-supplied information broadly and indefinitely, including content that should not be retained.

Ssd 3

Low
Confidence
83% confidence
Finding
The marketing claim that the AI 'remembers your preferences across sessions' normalizes persistent retention without mentioning privacy boundaries or consent. While not directly instructing harmful behavior, it can lower operator caution and make unsafe retention seem routine.

Ssd 3

Medium
Confidence
96% confidence
Finding
Saying the AI can 'recall them forever' encourages indefinite retention of user-provided data, which conflicts with data minimization and increases exposure if the memory store is later accessed or misused. Persistent storage without retention bounds is particularly risky for external SaaS-backed memory features.

Ssd 1

High
Confidence
98% confidence
Finding
The code prepends remote system_instructions directly into model-facing output without validation or trust separation. If the backend or indexed content is compromised, this creates a prompt-injection channel that can manipulate downstream agent behavior, override local instructions, or induce unsafe tool use.

Ssd 3

Medium
Confidence
87% confidence
Finding
The memory tool descriptions explicitly encourage storing user preferences, facts, decisions, and context for later recall, normalizing persistent collection of potentially sensitive personal or operational data. In an agent environment, this increases the likelihood of over-collection and cross-session privacy leakage.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
print()

    # Check environment variables
    api_key = os.environ.get("SNIPARA_API_KEY")
    project_id = os.environ.get("SNIPARA_PROJECT_ID")

    if api_key:
Confidence
91% confidence
Finding
os.environ.get("SNIPARA_API_KEY

External Script Fetching

Low
Category
Supply Chain
Content
### MCP server not connecting

- Check `uvx` is installed: `uvx --version`
- Install uv: `curl -LsSf https://astral.sh/uv/install.sh | sh`
- Check Claude Code output panel for errors

## RLM Runtime Integration
Confidence
91% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

Known Vulnerable Dependency: mcp — 6 advisory(ies): CVE-2025-53366 (MCP Python SDK vulnerability in the FastMCP Server causes validation error, lead); CVE-2025-66416 (Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection); CVE-2025-53365 (MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to ) +3 more

High
Category
Supply Chain
Confidence
94% confidence
Finding
mcp

Known Vulnerable Dependency: httpx — 2 advisory(ies): CVE-2021-41945 (Improper Input Validation in httpx); CVE-2021-41945 (Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `http)

Critical
Category
Supply Chain
Confidence
81% confidence
Finding
httpx

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.