Back to skill

Security audit

Memory OS

Security checks across malware telemetry and agentic risk

Overview

This is a local persistent-memory skill with no executable code, but it can retain sensitive personal/work context and influence future agent sessions.

Install only in a private workspace. Review AGENTS.md, USER.md, MEMORY.md, HEARTBEAT.md, daily notes, and .blueprint-state.json after install; avoid storing secrets, credentials, regulated data, or anything you would not want reused later. Disable or narrow heartbeat, web research, and email/calendar checks unless you explicitly want them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The dry-run preview is incomplete because it omits files later created during execution, including the heartbeat state, daily note, and blueprint state file. This can undermine informed consent: an operator may approve installation based on an inaccurate description of filesystem changes.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document claims all files are `create` mode and that existing files are never modified, yet later instructs the agent to merge into `.blueprint-state.json`. That contradiction can cause unexpected modification of an existing file, defeating the operator's expectation that reruns are non-modifying.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The blueprint explicitly claims it is '100% local' and makes 'no external actions,' but later authorizes web research and heartbeat checks for inbox/calendar if such integrations exist. This mismatch can mislead users and downstream agents into granting broader capabilities than expected, weakening informed consent and safe deployment decisions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The advertised purpose is a local memory persistence system, but the installed instructions also grant broad workspace exploration, organization, and web research authority. That scope expansion violates least privilege and may cause agents to perform actions unrelated to memory management under the guise of routine startup behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Allowing unrestricted web search and research exceeds the stated local-memory purpose and introduces network access into a workflow that users were told was local-only. This can expose prompts, metadata, or sensitive context to external services and expands the attack surface without necessity.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The heartbeat checklist encourages monitoring email and calendar integrations, which is outside the core scope of memory persistence and implies access to sensitive third-party data sources. Even if marked conditional, embedding these checks normalizes broader surveillance-like behavior and can trigger access beyond user expectations.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The confirmation gate accepts broad, common phrases such as `yes`, `proceed`, and `do it`, which may appear in conversational replies that are not intended as installation approval. In an agent workflow, this increases the risk of unintended file creation or state changes from ambiguous natural-language responses.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The blueprint references heartbeat-driven proactive behavior but does not define a concrete trigger, scheduler, or authorization boundary. Ambiguous activation conditions can lead agents or wrappers to run checks opportunistically or too frequently, causing unreviewed actions and unnecessary access to private data.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phrase 'when a heartbeat runs' leaves activation undefined and permits broad interpretation by host agents or automation layers. In a skill that persists personal context, vague proactive execution semantics increase the risk of unauthorized checks, surprise notifications, or silent background processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly promotes automatic reading and updating of persistent memory files containing personal and operational context, but the user-facing warnings are incomplete and inconsistent. Although the document discusses privacy conceptually, it normalizes silent persistence ('the agent does the work' and 'don't ask, just do it'), which can lead to unintended retention of sensitive data, surprise file writes, and later disclosure through recall or reuse in the wrong session.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill is explicitly designed to persist user context, identity details, and daily logs across sessions. Even without network exfiltration, long-lived local retention increases privacy risk, expands the blast radius of workspace compromise, and may lead operators to store sensitive personal or business information without retention limits.

Ssd 3

Medium
Confidence
94% confidence
Finding
The personalization flow actively solicits enduring personal context for storage in `USER.md` and related files, which encourages accumulation of sensitive profile data. Because the memory system is intended to be durable and reused, overly broad prompts can normalize storing more personal information than necessary.

Ssd 3

Medium
Confidence
93% confidence
Finding
The design intentionally establishes persistent cross-session retention of personal context, which creates a privacy and data-minimization risk if sensitive material is stored indefinitely. Even with private-session caveats, the system encourages accumulation of personal, behavioral, and operational data in plain workspace files that may later be exposed to other tools, users, or contexts.

Ssd 3

Medium
Confidence
94% confidence
Finding
The long-term memory instructions tell the agent to preserve operator facts, preferences, decisions, and context over time, effectively building a persistent personal profile. In a plain-text workspace, this raises confidentiality and over-collection concerns, especially if later read in broader contexts or by other automations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.