MEMORIA: Persistent Memory Layer for AI Agents

Security checks across malware telemetry and agentic risk

Overview

MEMORIA is a local memory skill, but it gives the agent broad long-term power to save and resurface personal and work details with limited confirmation controls.

Install only if you want an agent to maintain a long-lived local profile about you and your work. Review ~/.memoria/memory.md and its backups regularly, avoid storing secrets or sensitive infrastructure details, and prefer explicitly telling the agent what to remember rather than relying on automatic saves.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The example normalizes creating a persistent local memory file containing user context without any warning about sensitivity, retention, or review/deletion controls. Even though storage is local, the file may contain personal, business, or infrastructure data that can later be exposed to other users of the machine, backups, logs, or unintended prompts.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example shows the system resurfacing prior sensitive context, including server identity and past operational issues, with no indication of confirmation or privacy boundaries. This creates a risk of accidental disclosure if sessions are viewed by others, if the wrong user is interacting, or if stored memory contains information that should not be repeated automatically.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README presents very broad natural-language commands such as 'Remember that I hate Redux' and 'What do you know about me?' without defining clear trigger boundaries, confirmation requirements, or scoping rules. In an agent setting, ambiguous triggers can cause unintended persistence, retrieval, or disclosure of sensitive context from ordinary conversation, especially because the skill is explicitly designed to read and write long-lived memory automatically.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README emphasizes persistent local storage of user information but does not give a prominent warning that the agent may continuously append personal data to a durable file. Users may reasonably underestimate that preferences, location, collaborators, blockers, and other sensitive context will be written and retained across sessions, creating privacy and local data exposure risk.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill maps broad natural-language phrases like "Remember that..." or "I decided to X" directly to persistent writes, which can cause accidental memory modification from ordinary conversation rather than explicit consent. In a prompt-injection setting, third-party content could include these phrases and trick the agent into persisting untrusted or sensitive data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The initialization flow says the agent should auto-populate the memory file after answers are provided, but at that point it does not present the promised pre-write notification or ask for explicit approval before persisting data. This creates a consent gap during first-run onboarding, when users may disclose personal details without realizing they are about to be stored permanently.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The example promotes long-term storage and future resurfacing of detailed context such as infrastructure identifiers, operational history, and prior incidents. In a persistent-memory skill, this is more dangerous because the whole purpose is cross-session accumulation, increasing the amount of potentially sensitive material available for accidental disclosure or misuse.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The initialization flow explicitly asks for broad personal, business, and technical details and persists them for all future sessions. This is risky because it encourages over-collection at onboarding, before users are warned about long-term retention, sensitivity boundaries, or the consequences of storing detailed profiles and infrastructure context.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The weekly brief example aggregates historical activity, decisions, blockers, and behavioral patterns into a concise profile. Such summaries can amplify privacy risk because they transform many small observations into high-value intelligence about the user's projects, habits, priorities, and business status, making accidental disclosure more damaging.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill is designed to collect and retain a wide range of personal, professional, and contextual information, then later surface or summarize it on request. Even though storage is local, the concentration of identity data, work context, decisions, blockers, and relationships in a single readable markdown file materially increases the impact of accidental disclosure, over-collection, prompt-triggered exfiltration to the user interface, or compromise of the local environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal