Security audit

Metacognitive Memory

Security checks across malware telemetry and agentic risk

Overview

The plugin is a plausible local memory tool, but the shipped code logs conversations automatically despite opt-in claims and has real session-isolation gaps.

Only consider installing after the publisher ships a clean build where automatic capture is disabled unless allowConversationAccess is explicitly true, sensitive-data redaction is actually present in the executable code, source conflict markers are removed, and all mutating tools enforce session_id ownership. Do not use this release in sensitive workspaces.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (22)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The file-level comment promises multi-agent isolation via session_id scoping, but several mutating methods such as goal/fact verification and deletion operate only on global record IDs with no sessionId parameter. If callers can supply arbitrary IDs, one session or agent could modify or delete another session's data, breaking tenant isolation and enabling unauthorized cross-session tampering.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The file explicitly claims that all tables are scoped by session_id for multi-agent isolation, but multiple mutating methods operate only on object IDs and do not verify the caller's session. Methods such as l4UpdateGoal(goalId), l4DeleteGoal(goalId), l5VerifyFact(factId), and l5DeleteFact(factId) can modify or delete records across sessions if an attacker can obtain another session's record ID, breaking tenant isolation and enabling unauthorized tampering.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The file contains unresolved Git merge-conflict markers, which is a real security and reliability defect because it leaves contradictory implementations in source control and can cause the insecure branch to be compiled, selected, or manually resolved incorrectly. Here, one branch stores the database in a hidden subdirectory while the other changes storage behavior, and the embedded commit message references security fixes, signaling that the conflict directly touches security-relevant logic.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: This is a true vulnerability because the conflicted method signatures show one branch enforcing sessionId for goal and fact mutation operations while the other allows updates, verification, and deletion by object ID alone. If the weaker branch is kept or incorrectly merged with downstream store logic, callers may modify or delete records across sessions, breaking tenant/session isolation and enabling unauthorized access to another session's memory data.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The file claims all tables are scoped by session_id for multi-agent isolation, but the unresolved merge-conflict region shows active code paths where goal and fact update/delete operations may use only the record ID. If a caller can supply another session's object ID, they could modify or delete cross-session data, breaking tenant isolation and integrity guarantees.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The file contains literal Git conflict markers with competing implementations, including one branch that omits session scoping on sensitive mutations. This is dangerous both because it can break builds and because it signals that security fixes were not cleanly applied, leaving isolation-sensitive code in an ambiguous or unsafe state.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The file contains unresolved merge-conflict markers and two contradictory behavioral branches: one advertises privacy controls and opt-in capture, while another active branch performs automatic global message capture. In a memory plugin, this contradiction is dangerous because operators may rely on the safer description while the executable code still retains sensitive conversation content broadly.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The automatic hook captures all inbound and outbound conversation content and persists it to memory without necessity checks, scoping, or explicit per-session consent. This creates a broad surveillance and retention surface for secrets, personal data, proprietary prompts, and tool outputs that may later be exposed through listing/search tools or downstream processing.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: Mutating operations for goals and facts show unresolved conflict regions where the safer version includes session_id but the HEAD execution paths still call update/delete/verify methods without session scoping. If the backing core accepts object IDs globally, one session could modify or delete another session's goals or facts, breaking tenant isolation and integrity.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The plugin registers global hooks for message receipt/sending and persists all captured content into memory storage without any visible consent gate, notice, scoping control, or filtering for sensitive content. Because it logs both inbound user messages and outbound assistant replies across sessions, it can retain credentials, personal data, confidential prompts, and tool outputs far beyond user expectation, creating a significant privacy and data-exposure risk.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The declaration explicitly advertises automatic global conversation capture via message:received and message:sent hooks, which implies collection of potentially sensitive user content across conversations. In a plugin entry point, the absence of any visible disclosure, consent, or scope limitation increases privacy and data-handling risk because users and integrators may not realize all messages are being intercepted.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The plugin registers global hooks that capture every inbound user message and outbound assistant reply and sends the full content into persistent memory processing without any visible consent, scoping, or filtering in this file. In an agent environment, this can collect secrets, personal data, credentials, and unrelated conversation content across sessions, creating a broad privacy and data-governance exposure.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The store captures raw conversation content and tool results directly into persistent storage, which can include secrets, personal data, credentials, and sensitive outputs. In an agent memory system, this increases exposure because highly sensitive transient data becomes durable and searchable beyond the original interaction.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The active auto-capture path stores user and assistant messages silently, with no user-facing warning, consent prompt, or indication that retention is occurring. Hidden logging of conversational content is especially risky in an agent environment because users may disclose credentials, regulated data, internal instructions, or confidential business information during normal use.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The plugin explicitly advertises and implements automatic capture of all inbound and outbound conversation content, but this file shows no consent flow, disclosure mechanism, or scoping control. In an agent/plugin context, conversations often contain secrets, personal data, credentials, or proprietary information, so indiscriminate logging materially increases privacy and data-exposure risk.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The plugin description and implementation explicitly position the skill as a system that captures every inbound and outbound message globally and converts them into higher-level memories. In a memory plugin this is functionally aligned with stated behavior, but the semantic design still creates a real data-collection risk because natural-language content often contains sensitive information and the code does not show safeguards, disclosure, or minimization.

Ssd 3

High

Confidence: 90% confidence
Finding: The plugin description explicitly advertises comprehensive multi-layer retention of all conversation content, including user and assistant messages, which signals intentional large-scale data collection beyond a narrowly scoped feature. In context, this increases risk because the skill is a memory subsystem with automatic capture, making overcollection and long-term storage of sensitive information more dangerous than a transient processing feature.

Ssd 3

High

Confidence: 97% confidence
Finding: The registered hooks implement unconditional logging of all user inputs, assistant outputs, and even session-start events via core.l0Capture, with no visible checks for consent, sensitivity, tenant boundaries, or relevance. Because this operates globally and automatically, it can silently aggregate cross-session conversational data into a durable memory system, increasing the blast radius of any misuse, breach, or internal abuse.

Ssd 3

High

Confidence: 90% confidence
Finding: The plugin description normalizes broad retention of conversation content, including inbound and outbound messages, which encourages operators to enable a high-risk data collection behavior without adequate minimization. In a memory skill, this materially increases exposure because retained logs can contain secrets, system prompts, personal data, and confidential context beyond what is needed for the tool's core function.

Ssd 3

High

Confidence: 98% confidence
Finding: The hook logic effectively instructs the system to collect and retain all message content by default, which is a direct data-handling risk rather than a mere documentation problem. Given this plugin's purpose as long-term memory, automatic retention materially amplifies downstream leakage, misuse, and compliance risks because captured content may be searchable and persist across time.

Ssd 3

High

Confidence: 98% confidence
Finding: The description and registration logic indicate global, indiscriminate capture of every message across sessions rather than a narrowly tailored memory feature. That broad collection scope is especially dangerous in plugin ecosystems because it can silently aggregate sensitive user and model outputs unrelated to the plugin's immediate task, expanding the blast radius of any misuse or compromise.

Ssd 3

High

Confidence: 99% confidence
Finding: The hooks forward raw `context.content` for both received and sent messages directly into persistent memory via `core.l0Capture(...)` with no minimization, filtering, redaction, or sensitivity checks. This means secrets, personal data, authentication material, safety-sensitive prompts, and model responses are all stored wholesale, making downstream leakage, unauthorized access, and compliance violations much more likely.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal