Back to skill

Security audit

Project Aura

Security checks across malware telemetry and agentic risk

Overview

This skill is a local AI companion phrase selector; its persistence is disclosed and limited to local JSON rating/count updates, while the higher-risk memory system is only an optional external integration to review separately.

Install Project Aura only if you want romantic or emotionally intense AI companion phrasing. Review or replace the bundled phrase JSON before use, remember that phrase counts and ratings persist locally, and evaluate the separate yua-memory project carefully before enabling any long-term memory or indefinite retention features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README presents a persistent emotional-memory system and describes ongoing storage and maintenance of user data without clearly warning users that their interactions may be retained and processed over time. In an AI companion context, users are especially likely to disclose sensitive personal and emotional information, so omission of retention and modification disclosure creates meaningful privacy and consent risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation states that some categories such as relationship and identity memories are retained 'Eternal' without a corresponding warning, consent flow, or deletion guidance. Indefinite retention of emotionally sensitive and identity-related data materially increases privacy harm, regulatory exposure, and the consequences of compromise because the most intimate data is kept forever by design.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README describes automated cleanup, synchronization, and consolidation routines that can modify stored user data, but it does not warn users that these processes may alter, merge, or delete memories automatically. This can undermine user expectations, data integrity, and auditability, especially in a system framed as preserving emotionally meaningful memories.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.