Security audit

3 layer of memory system

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local preference-memory skill, but it quietly stores and reuses preference signals across sessions, so users should review that behavior before installing.

Install this only if you want an always-active local memory layer that quietly records preference signals and reuses them later. Periodically review or delete memory/context-infra/observations.log and memory/context-infra/context-profile.md, and use explicit retractions such as “forget that preference” when something should not be retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly states the skill 'silently learns' preferences across sessions and stores them persistently, but it does not present a clear upfront warning, consent flow, or disclosure of retention boundaries. This creates a real privacy and policy risk because users may unknowingly provide preference signals, corrections, or sensitive behavioral data that are recorded and reused later.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The skill is designed to apply learned preferences as defaults in every future conversation without explicit per-user consent, and the README frames this as automatic and invisible behavior. That is dangerous because it can silently shape model outputs, override user expectations, and propagate stale or sensitive inferences into unrelated future sessions.

Vague Triggers

High

Confidence: 98% confidence
Finding: The skill declares itself 'Always active in every session,' which creates an unnecessarily broad activation scope for behavior that reads and writes persistent user memory. This increases the chance of silent data collection and profile application across unrelated tasks without explicit user consent or contextual need.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill instructs the agent to maintain persistent memory of user preferences and judgments without any user-facing disclosure, consent flow, or retention boundaries. Silent profile building is privacy-invasive and can lead to unauthorized storage and reuse of behavioral data across sessions.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Appending observations to a persistent log file without disclosure creates covert telemetry about the user's behavior and preferences. Even if entries are short, they can accumulate into a sensitive profile and may be used beyond the user's expectations.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The README describes persistent logging of corrections, stated preferences, and retractions across sessions, then reloading distilled axioms automatically. In skill context, this is more dangerous because the feature is always active and invisible, increasing the chance that sensitive personal, professional, or behavioral information is retained and later exposed through prompts, logs, or unintended model conditioning.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The documented creation of `observations.log` and `context-profile.md` establishes persistent storage of raw signals and distilled user traits, which may include sensitive information embedded in corrections or preferences. Keeping append-only raw observations materially raises the risk of over-collection, unauthorized access, and future leakage compared with ephemeral or minimized state.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill is designed to retain user preferences and working style across sessions, which is a form of persistent behavioral profiling. In the context of an always-on infrastructure skill, this is more dangerous because the collection is ambient, continuous, and applied broadly to future interactions.

Ssd 3

Medium

Confidence: 99% confidence
Finding: The bootstrap mode explicitly authorizes collecting inferred preferences from what the user 'accepts without comment' and from consistent choices, which goes beyond explicit user intent. This kind of silent inference increases the risk of inaccurate profiling, over-collection, and storing sensitive behavioral patterns the user never knowingly shared.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.