smart-memory-lite (Automaton)

Security checks across malware telemetry and agentic risk

Overview

This is a local conversation-memory skill whose storage, recall, import, export, and deletion features match its stated purpose, though users should treat stored memories as sensitive.

Install only if you want persistent local conversation memory. Do not store secrets, credentials, regulated data, or private client content without additional controls. Configure the storage path deliberately, export only to trusted locations, import only trusted JSON, and understand that clear() removes stored memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill’s advertised purpose is lightweight conversation memory, but the implementation also includes bulk import/export and full deletion capabilities that materially expand its authority over stored data. In an agent context, these hidden or under-disclosed capabilities increase the chance of unintended data exfiltration or destructive actions beyond what a user would reasonably expect from the manifest.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code accepts caller-controlled file paths in exportToFile(filePath) and importFromFile(filePath) and performs unrestricted filesystem writes and reads. In an agent environment, this enables path abuse to overwrite arbitrary files, read sensitive local files into memory, or move conversation data outside the intended storage directory.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The clear() method irreversibly wipes all stored memories, which is a destructive capability not disclosed by the skill description. In a tool-using agent, an unexpected deletion primitive can be triggered accidentally or by prompt manipulation, causing loss of conversation history and operational state.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly promotes automatic saving of every conversation to file-based storage without any discussion of consent, retention limits, access controls, or sensitive-data handling. In a memory skill, this creates a real privacy and security risk because agents may persist secrets, personal data, credentials, or regulated content by default.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The import, export, and clear operations are documented as ordinary features but no warnings are given about data exposure, overwrite risk, or irreversible deletion. This is dangerous because operators may unknowingly export sensitive conversation histories, import untrusted data, or destroy stored records without safeguards.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill automatically persists conversation content, timestamps, tags, and topics to disk, including daily conversation files, without any disclosure or consent mechanism. Because conversational memory often contains sensitive prompts, secrets, or personal data, silent persistence increases privacy and data-retention risk in normal use.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The export function writes the full memory dataset to a caller-supplied file path without any disclosure, approval, or scoping. Since the stored memories may contain sensitive conversation data, this creates a straightforward exfiltration path from the memory store to arbitrary filesystem locations.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: Importing external files into the memory store without disclosure is risky because it allows untrusted or unexpected data to be merged into persistent memory. While less severe than arbitrary export, it can pollute agent context, introduce malicious prompt content into future recalls, and expand retained data without user awareness.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The clear operation permanently deletes all stored memories with no warning, confirmation, or recovery path. In an agent setting, that makes destructive loss of state easy to trigger accidentally or through adversarial prompting, which is especially dangerous for a memory component whose core purpose is persistence.

Ssd 3

Medium

Confidence: 87% confidence
Finding: Automatically storing all conversation content semantically enables later disclosure because the system collects and retains user-provided data by default. In the context of an AI memory skill, this is especially risky since users may reveal confidential prompts, personal information, or secrets during normal conversations.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The export feature is described as exporting all stored memories, which provides a straightforward mechanism to extract accumulated conversation data in bulk. Even if intended for backup, bulk export materially increases the risk of sensitive-data disclosure if files are mishandled, accessed by other processes, or shared insecurely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal