AutoDream Memory

Security checks across malware telemetry and agentic risk

Overview

AutoDream mostly matches its memory-cleanup purpose, but it can automatically rewrite persistent agent memory and its documented safety controls do not match the code.

Install only if you are comfortable with a tool that can rewrite local agent memory and potentially run on a schedule. Review or back up MEMORY.md first, avoid relying on --dry-run as safe, and do not enable the setup script unless you want an immediate run plus recurring configuration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises file read/write behavior and explicitly describes modifying MEMORY.md and files under memory/, but it does not declare permissions. Missing permission declarations weaken user and platform visibility into what the skill can access, making unintended or overly broad file operations harder to review and constrain. In a memory-maintenance skill, file access is expected, but undeclared capabilities still create a real trust and governance gap.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose understates the actual behavior: the skill also inspects session history, writes multiple tracking/report artifacts, rewrites MEMORY.md, and installs scheduling via setup scripts that may create cron jobs and trigger immediate execution. This mismatch is dangerous because users may consent to a narrow 'memory cleanup' function while the skill performs broader surveillance, persistence, and automation actions with side effects beyond what was clearly disclosed.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The report states the skill operates in a 'read-only mode' while simultaneously documenting that it writes to memory files, updates MEMORY.md, creates backups, and installs scheduled tasks. This is a misleading security claim that can cause operators to grant trust or deploy the skill under false assumptions, increasing the chance of unintended file modification or persistence.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The release notes claim a 'read-only mode' as a safety property while the same document advertises pruning, deduplication, backup creation, and report generation, all of which imply filesystem writes or mutation of workspace state. This can mislead users into granting trust or enabling automation under false assumptions, increasing the chance of unintended file modification in a memory-management skill that is explicitly designed to rewrite memory artifacts.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill’s stated purpose is memory-file consolidation, but this code additionally mines raw session logs for user corrections, decisions, and explicit save requests. That broadens data collection from existing memory artifacts to conversational transcripts, creating an unexpected privacy boundary expansion and persistent retention risk.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The session transcript mining is only loosely connected to the declared task of reorganizing memory files, and the implementation scans broad message content with regexes for decisions and corrections. This can collect sensitive conversational data unrelated to memory maintenance and convert ephemeral chat content into durable memory artifacts.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README documents automated memory consolidation, pruning, and deletion outputs, but it does not clearly warn users that running the skill modifies and may remove data from workspace memory files. In a tool designed to run automatically on a schedule, insufficient disclosure increases the chance of unintended destructive actions, especially if users enable cron execution without understanding the consequences.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The quick-start section encourages immediate execution and cron-based automation without any warning that the skill may alter memory files on a schedule. In the context of an auto-consolidation agent, omission of modification warnings can cause users to deploy recurring or forced runs before understanding scope, backup behavior, or rollback options, leading to silent data loss or unwanted state changes.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script overwrites MEMORY.md directly and later writes multiple state/report JSON files, with no confirmation, backup, or transactional safety. A maintenance tool that rewrites core memory artifacts can silently destroy or alter important user data if triggered unexpectedly or if its heuristics misclassify entries.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code reads workspace session transcripts and processes message content without any explicit privacy notice or consent flow. Because transcripts may contain sensitive user information, scanning them for consolidation signals creates a material transparency and privacy risk.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The skill collects natural-language content from session histories and republishes derived or truncated text into persistent outputs such as MEMORY.md and report/export files. This transforms potentially sensitive conversational content into long-lived artifacts, increasing exposure, discoverability, and retention beyond the original session context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal