Layered Memory Manager

Security checks across malware telemetry and agentic risk

Overview

This memory-management skill is purpose-aligned but should be reviewed because it can persist, reorganize, archive, and sometimes delete memory state through broad natural-language and inline tag triggers.

Install only if you want the agent to actively manage persistent memory files. Review the memory folder before use, avoid storing sensitive personal or credential-like information, and require explicit confirmation for pin, promote, forget, archive, restore, and permanent deletion actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to parse and execute user-embedded directive tags such as [[pin]], [[promote]], [[forget]], [[restore]], and [[memory_health]] in ordinary messages. This creates an unscoped command channel inside natural language, allowing users or injected content to trigger state-changing memory operations without a separate confirmation or explicit command mode.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill permits permanent deletion of archived memories after 180 days, which goes beyond reversible demotion/archive behavior and can irreversibly destroy retained state. In a memory-management skill, this is dangerous because archive contents may include user preferences, prior decisions, or evidence needed for recovery, audit, or consent review.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The skill contains contradictory retention rules: it says 'never delete outright' and 'Archive, don't delete,' yet later allows permanent deletion from the archive after 180 days. This inconsistency is security-relevant because it can cause the agent to mishandle sensitive data, user expectations, and recovery assumptions, especially in edge cases or when automated hygiene logic runs.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The activation guidance is broad enough to trigger on many normal conversations involving reading, writing, organizing, searching, remembering, or forgetting. Over-broad activation increases the chance the skill runs in contexts where the user did not intend persistent storage or modification, leading to unintended data retention or memory edits.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Promotion can be triggered by everyday phrases like 'remember this' or 'always keep in mind' without stronger scope checks. Because such language is common in ordinary discussion, the agent may persist information broadly and durably based on ambiguous conversational phrasing rather than explicit consent to store data long-term.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The archive trigger treats generic phrases like 'forget about X' or 'delete X' as commands to discard data, but without precise invocation rules or confirmation. That makes destructive state transitions vulnerable to accidental activation, ambiguity, prompt injection through quoted text, or user misunderstanding about whether data is archived versus truly deleted.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The skill enables writes, demotion, archival, and forgetting across persistent memory files but does not prominently warn users that these actions modify retained state and may affect future behavior. Lack of up-front user-facing disclosure raises the risk of silent persistence or deletion of information users did not expect the system to manage durably.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The skill directs the agent to persist user and session information long-term based on broad natural-language triggers, making a wide range of personal or contextual data retrievable later. Without minimization and consent boundaries, this creates a meaningful privacy and data-retention risk, especially if sensitive content is stored in durable memory files by default.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The architecture explicitly maintains layered profiles, preferences, knowledge, decisions, context, and daily logs, which together create durable longitudinal records of user interactions and agent behavior. While this may be intended functionality, it is still a privacy-relevant persistence mechanism that can accumulate sensitive data over time if not tightly scoped.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill says user requests to 'forget' or 'delete' information should move data into an archive rather than actually removing it. This is dangerous because it can directly violate user expectations and privacy requirements by preserving information the user believes has been discarded.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal