Nm Memory Palace Knowledge Intake

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a knowledge-management workflow, but it can write local project knowledge files and publish selected entries to GitHub Discussions by default.

Install only if you are comfortable with a workflow that can persist knowledge into your repository and may publish evergreen entries to GitHub Discussions. Before use, require explicit approval for every write or publication, review the exact GitHub destination and body, redact private URLs, secrets, internal notes, and local paths, and avoid --auto-accept unless running in a test output directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill's 'Discussion Promotion' step expands a knowledge-ingestion workflow into external publication by directing use of `gh api graphql` to create or update GitHub Discussions. That creates a real data-exfiltration and integrity risk because analyzed or transformed content may be published outside the local environment by default, and the prompt to the user is weakly protective given that publishing is described as the default action.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The application routing section authorizes the skill to move from evaluation/storage into modifying the local codebase and meta-infrastructure, including updating code, ADRs, skills, modules, and agents. This is a real scope-expansion vulnerability because a content-intake skill should not implicitly gain write authority over implementation artifacts based on external resources, especially when those resources may be adversarial or low quality.

Intent-Code Divergence

Medium

Confidence: 78% confidence
Finding: The document states the current implementation is Level 0 human-in-the-loop, yet elsewhere advertises `--auto-accept`, creating contradictory operator expectations. This is dangerous because users may rely on the safer claim while invoking automation that silently bypasses intended review gates and performs storage decisions automatically.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The trigger term 'intake' is overly generic and can cause the skill to activate in unrelated contexts, increasing the chance that sensitive local files or external resources are processed unexpectedly. Overbroad invocation is a real security concern for a skill that can fetch content, queue data, and mutate stored knowledge.

Vague Triggers

Medium

Confidence: 75% confidence
Finding: The trigger 'evaluation' is broad enough to overlap with many benign requests, which can unintentionally activate a skill that performs retrieval, storage, and routing actions. In this context, ambiguous activation expands the blast radius because the skill's documented actions go beyond passive analysis.

Vague Triggers

Medium

Confidence: 75% confidence
Finding: The trigger 'curation' is ambiguous and could match many normal conversations, causing accidental invocation of a skill that can store content, queue research material, and propose downstream modifications. Given the skill's broad powers, loose activation increases the chance of unintended data handling.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs fetching remote URLs and local files, including constructing `file://` URIs, without a prominent privacy or access warning. That is dangerous because users may not realize the skill can pull potentially sensitive local documents or send remote requests based on content they provide, increasing exposure to privacy leaks and unsafe processing of untrusted material.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The discussion-publishing workflow lacks a strong, front-loaded warning that content will be sent to GitHub, a third-party service, and even frames publishing as the default. This is particularly dangerous because knowledge entries may contain proprietary, personal, or mixed-source material, and the skill normalizes external disclosure inside an intake workflow where users may expect local-only processing.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The automation section documents `--auto-accept` and file mutations to the corpus, drafts, and audit log without clearly warning that running the command will write to disk. This can lead to unintended persistence of sensitive or low-quality material and surprise modifications to project documentation.

Ssd 3

Medium

Confidence: 89% confidence
Finding: Automatic queueing and audit logging of research sessions can retain user-provided content and browsing-derived material without clear minimization, retention, or consent controls. This creates a real privacy risk because sensitive prompts, internal URLs, or research artifacts may be stored long-term in queue files and logs beyond the user's intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal