Security audit

personal-memory-system

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local journaling and personal memory skill that handles sensitive data, but I found no hidden network access, credential use, destructive behavior, or purpose-mismatched actions.

Install only if you are comfortable storing intimate personal history in a local memory folder and sending relevant entries to your selected AI provider during use. Use explicit trigger phrases, keep the memory directory out of git and cloud sync unless intended, restrict permissions, consider encryption, and periodically inspect, edit, or delete diary, signal, and AI-portrait files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (25)

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The protocol promises not to record crisis conversations to signals-log for privacy, but then instructs that some of the same incident be recorded elsewhere. In a mental-health context, this contradiction can lead to sensitive crisis disclosures being stored despite a no-logging expectation, creating privacy harm, trust erosion, and possible mishandling of highly sensitive self-harm indicators.

Intent-Code Divergence

Low

Confidence: 87% confidence
Finding: The file tells users that everything is stored only in their local files and will not be shared, but elsewhere the skill instructs the system to persistently update profile and alert memory files. While those files may still be local, the notice is incomplete because it omits the scope of ongoing retention, profiling, and derived-data storage. In a memory system handling intimate personal data, incomplete privacy claims can mislead users about what is being retained and increase consent and expectation mismatches.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The Cursor rule uses broad trigger phrases plus an open-ended "等相关指令" ("and related instructions"), which can cause the memory skill to activate on loosely related user input. In a personal memory system, unintended activation is more dangerous than usual because it may collect, infer, or persist sensitive personal data when the user did not explicitly intend to invoke the skill.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The README advertises highly generic trigger phrases such as "记录今天", "随手记", "帮我做个推演", and identity/personality prompts without documenting clear scope boundaries, confirmation steps, or context gating. In a memory skill that stores sensitive personal history and profile data, broad natural-language triggers increase the chance of accidental activation and unintended collection or persistence of private information.

Vague Triggers

High

Confidence: 97% confidence
Finding: The skill declares a very large set of generic natural-language trigger phrases such as '记录今天', '帮我做决策', '分析我最近的状态', and '我很崩溃', which are likely to appear in ordinary conversation and can cause unintended invocation. Because the skill then reads persistent memory files and processes highly sensitive personal data, accidental activation expands data exposure and can trigger journaling, profiling, or decision workflows the user did not explicitly intend to run.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrase “重新开始” is broad and plausibly appears in ordinary conversation, so the skill may activate when the user is not intentionally invoking a memory/archive workflow. In this skill’s context, unintended activation is more dangerous because initialization leads quickly into collecting sensitive personal profile data and instructing local file creation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The file instructs users to create a directory structure and copy files locally without any upfront warning, consent checkpoint, or explanation of what data will be stored there. This is risky because users may not understand that they are establishing a persistent local repository for highly sensitive personal information, increasing the chance of accidental exposure or unsafe storage practices.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly stores raw diary entries and later generates derived emotional analysis, trends, goals, and anniversary lookups across multiple memory files, but it provides no consent flow, retention notice, access controls, or privacy warning. Because the content includes intimate mental-health and life-event data, silent persistence creates a real confidentiality and misuse risk, especially if the memory store is later exposed, reused in other contexts, or accessed by unauthorized parties.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger phrases for the memory-assistance mode are broad conversational requests such as asking for help recalling the past or talking about oneself. In a skill designed to continuously archive personal history, broad triggers can cause unintended activation and prompt the collection of sensitive autobiographical data when the user may only want casual conversation or reflection.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This section explicitly solicits highly sensitive personal data, including health history, psychological state, relationships, finances, and deeply personal behavioral patterns, but does not warn users about privacy implications, retention, downstream use, or minimization. In the context of a long-lived AI memory system, this materially increases the risk of overcollection, unexpected profiling, and harmful exposure if the data is accessed, reused, or breached.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document repeatedly instructs the system to append to and maintain persistent memory files containing sensitive personal data, emotional signals, goals, and decision history, but it does not clearly require user notice or consent before storing or modifying that data. In a personal memory skill, this is more dangerous because the stored content is highly intimate and longitudinal, increasing privacy, retention, and profiling risk if users are unaware that persistence is happening.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The protocol directs the agent to create diary files and update signals-log entries containing personal history without any user-facing notice, consent flow, or retention explanation. Because this skill is a personal memory system handling intimate emotional and behavioral data, silent persistence materially increases privacy risk, unexpected data collection, and downstream misuse if files are later accessed or repurposed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This restart flow instructs the skill to read historical personal data, summarize prior state, and update profile/goal tracking files without first telling the user that past records are being accessed. In a memory system that may contain sensitive emotional, behavioral, and life-event information, undisclosed retrieval and profile updates create significant privacy and autonomy risks and can surprise users with inferred or resurfaced sensitive data.

Natural-Language Policy Violations

Medium

Confidence: 76% confidence
Finding: The document enforces a fixed 'old friend' persona and communication style without requiring user consent or offering adjustment. In a system positioned as a long-term memory and decision-support companion, this can manipulate user trust, blur boundaries, and pressure users into a relational frame they did not choose. The risk is amplified because the persona claims deep familiarity and quasi-privileged insight into the user.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The template explicitly says the file is continuously maintained from 'all user records,' which creates an enduring psychological profile without any user-facing notice, consent boundary, or minimization guidance. In a personal memory skill, this materially increases privacy risk because highly sensitive facts can be aggregated into a durable portrait that reveals more than any single entry.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: These sections direct the system to infer decision style, emotional patterns, energy rhythms, unseen traits, and contradictions from historical records, which is sensitive psychological profiling. Because the skill is designed as an always-available personal memory and decision adviser, the profiling is especially dangerous: it can produce intimate inferences, overconfident judgments, and persistent labeling without clear safeguards or consent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The template explicitly instructs the system to automatically append to a log and archive older entries, which implies file modification behavior without any user-facing notice, confirmation, or consent boundary. In a memory-system skill that continuously records personal experiences, silent writes and archival of sensitive emotional and behavioral data increase privacy and integrity risk, especially if users do not realize persistent files are being changed.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The skill explicitly frames the AI as an entity that 'remembers everything' and maintains a persistent user portrait, which encourages long-term aggregation of intimate behavioral and psychological data. In the context of a personal memory system, this increases privacy risk, profiling risk, and the chance of over-collection or inference beyond what the user intended, especially when combined with broad triggers and automatic context loading from multiple history files.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Continuously maintaining an AI portrait from all user records creates an aggregated psychological profile that can reveal intimate patterns, vulnerabilities, contradictions, and inferred traits beyond what the user explicitly shared. The skill context makes this more dangerous because it is designed as a long-lived memory system, so sensitive data accumulation and inference become a core feature rather than an incidental byproduct.

Ssd 3

Medium

Confidence: 97% confidence
Finding: Requesting users to upload prior diaries, social posts, and personal writings for bulk ingestion encourages transfer of large volumes of highly sensitive historical data, potentially including third-party information and content the user has not re-reviewed. Saying the AI will organize it without user classification further reduces friction and may cause overcollection of data far beyond what is necessary for the task.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The design mandates persistent logging of raw user diary text plus derived signals such as emotions, energy levels, goals, patterns, crisis indicators, and summaries across diary, response, weekly, monthly, letter, and signal files. This broad retention and cross-linking significantly increases the blast radius of any prompt leakage, mis-scoped memory recall, insider access, or storage compromise, and it can expose especially sensitive psychological inferences beyond the original user input.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The file directs the system to persistently record important user disclosures, contradictions, behavioral changes, and the triggers that caused profile updates. That creates a structured dossier of highly sensitive personal information and inferred traits, which materially increases privacy harm if exposed, misused, or presented back to the user inappropriately. Because this skill is a personal memory system covering emotions, relationships, goals, and decisions, the retained data is especially sensitive and the context makes the risk more serious.

Ssd 3

Medium

Confidence: 93% confidence
Finding: Continuous maintenance of a portrait from all records encourages broad retention and centralization of sensitive personal history, which raises exposure and misuse risks if the data is later accessed, leaked, or repurposed. In this skill's context, the file is positioned as a long-lived memory substrate, making overcollection and indefinite summarization more dangerous than a one-off note.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The template instructs recording intimate behavioral and psychological patterns across time, including moods, energy cycles, recurring struggles, and growth trajectory. That goes beyond ordinary note-taking into sensitive personal-data synthesis, which can expose vulnerable traits, support manipulative downstream use, or create inaccurate but durable characterizations.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The contradictions section explicitly stores timestamped quotes of conflicting statements from past records, creating a searchable ledger of inconsistency that can be highly sensitive and easily misused. In a personal archive, this may amplify embarrassment, relational harm, or coercive profiling, especially if surfaced out of context or retained indefinitely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.