Security audit

Meme Generator

Security checks across malware telemetry and agentic risk

Overview

This is a local meme text utility with low-risk behavior, though one bundled helper saves entries and command history on disk.

Install only if you are comfortable with a small local utility saving helper-command data under ~/.local/share/meme-generator by default. Avoid pasting secrets or sensitive personal information into add/search/run arguments, and change MEME_GENERATOR_DIR or delete the local data files if you want to control retention.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The add command persists arbitrary user-supplied content to a local data file without any notice, consent prompt, or privacy warning. In an agent skill context, users may provide sensitive prompts, tokens, file paths, or operational data expecting ephemeral handling, and silent persistence increases the chance of later disclosure through local access, backups, exports, or support collection.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The _log helper silently records command activity and arguments to disk for nearly every command, with no user-facing disclosure. Because arguments may contain sensitive search terms or operational inputs, this creates an undisclosed audit trail that can leak private information to other local users, forensic collection, backups, or later exports.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.