Back to skill

Security audit

Apm Agent Progressive Memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill is review-worthy because it can automatically expose private DM memory in group chats when group mapping is missing.

Install only if you are comfortable with persistent workspace memory hooks and can strictly configure memory/groups/group_names.json before using group chats. For safer use, remove or change the unmapped-group fallback so group sessions fail closed instead of loading DM memory, and review scheduled/precompact flush behavior and stored session metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This is a real confidentiality vulnerability. When a session is detected as a group chat but no group mapping exists, the code intentionally falls back to composeApmContext(), which loads DM-only memory from memory/main/* and daily notes, despite the file's own privacy rules stating group chats must never see that data. In this skill context, that is especially dangerous because the entire protocol is designed around strict separation between private DM memory and shared group memory, so the fallback directly defeats the stated trust boundary.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The documentation establishes a clear security invariant: group chats must not see DM-only memory. Elsewhere in the handler, that invariant is knowingly violated by the fallback path for unmapped group chats, meaning the implementation contradicts its own security model. This makes the issue more dangerous, not less, because operators and users are likely to rely on the documented privacy boundary while the code silently breaks it.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The skill directs the agent to append to and overwrite memory files, but does not require explicit user consent or a visible warning before persisting or altering stored data. In an agent-memory context, silent write-back can capture sensitive user, project, or infrastructure information and can overwrite prior state in ways the user may not expect.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The flush-state design persists session metadata such as timestamps, session identifiers, pending items, and file modification times without an explicit warning or minimization requirement. In this skill's context, those fields can reveal communication topology, activity patterns, workspace structure, and potentially sensitive identifiers, making covert persistence more dangerous than in ordinary documentation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to automatically create missing memory indexes and update memory files on flush or state changes, but it does not present a prominent user-facing warning or consent model for those persistent modifications. In a memory-management skill, silent creation and mutation of files can expose users to privacy, auditability, and integrity risks, especially where group and DM contexts are supposed to remain isolated.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented fallback explicitly routes unresolved group sessions to the DM protocol, which can inject private DM memory into a group context. In a memory/bootstrap hook, this is a real confidentiality flaw because misconfiguration or new channel/sessionKey formats can cause cross-context disclosure without any user confirmation.

Missing User Warnings

High
Confidence
98% confidence
Finding
This is a true privacy leak because the handler injects private DM memory into a shared group bootstrap context with only a console warning to operators. There is no user-facing disclosure, consent, or runtime block, so the leak can occur silently whenever group_names.json is missing or incomplete. In a memory-management skill, silently crossing session boundaries is particularly severe because the injected content may include personal notes, long-term memory, and recent daily context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The hook explicitly supports `system:event` cron-triggered `/remem` flushes that update `memory/flush-state.json` without requiring contemporaneous user action or a clear warning in the primary behavior description. In a memory-management skill, silent scheduled state changes can undermine user expectations, create privacy/auditability issues, and mask background processing across chat contexts, especially given the documented shared flush-state limitation.

Ssd 3

High
Confidence
98% confidence
Finding
Falling back from an unknown or unresolved group session to DM memory creates a direct path for sensitive personal/main-session memory to be surfaced in a group environment. Because this hook runs at bootstrap and controls what context is injected, the skill context makes the issue more dangerous: a single parsing or mapping miss can expose private memory to multiple participants.

Ssd 3

High
Confidence
94% confidence
Finding
The documentation acknowledges that MEMORY.md may still be injected into group sessions and proposes relying on agent discipline plus a DO-NOT-READ warning. That is not an effective security control: once sensitive memory is present in the prompt/bootstrap context, it is already exposed to the agent and may influence outputs or be disclosed despite instructions.

Ssd 3

High
Confidence
99% confidence
Finding
The code at this location causes shared-channel disclosure of DM-only data when a friendly-name mapping is missing. Because the fallback path is triggered by configuration gaps rather than an extraordinary security override, ordinary deployment mistakes can expose private memory to group participants. The skill context increases risk because it handles persistent memory intended to encode private session history and personal diary-like daily notes.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.