Security audit

Memory Keeper

Security checks across malware telemetry and agentic risk

Overview

This memory backup skill is coherent but needs review because it can copy sensitive agent context and extra workspace files to any Git remote with weak safeguards.

Install only if you intentionally want agent memory and context files archived. Prefer a local target or a private repository you control, review files before pushing, avoid broad --allow-extra patterns, never embed tokens in remote URLs or commands, and remove/redact memory log entries if a remote URL ever contained credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises and instructs use of a Python CLI that reads sensitive context files, writes archives, and may invoke git operations, but the skill file does not declare corresponding permissions. That mismatch hides the real capability and prevents informed consent or policy enforcement around file access and shell/git execution, especially dangerous because the targeted files include agent memory and configuration data.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script can configure a remote and push archived memory files to an arbitrary Git repository, which enables exfiltration of sensitive agent context, credentials, prompts, or operational notes outside the local environment. In this skill context, the archived files are explicitly high-value memory/configuration artifacts, so network transmission materially increases exposure beyond a local backup utility.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The --allow-extra option permits copying arbitrary relative files, glob matches, and entire directories from the workspace into the archive, expanding the tool from a scoped memory backup into a general bulk collection mechanism. Because agent workspaces often contain secrets, source code, tokens, or unrelated private data, this broadens accidental over-collection and can combine with git push to exfiltrate far more than the stated purpose.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description mentions git-friendly behavior and shows an example with --remote and --push, but it does not prominently warn that highly sensitive memory/context files may be transmitted to an external repository. Users could reasonably interpret this as routine backup behavior and unknowingly exfiltrate agent memories, credentials, prompts, or personal data to third-party infrastructure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly encourages pushing archived memory files to a git remote, even though the archived content includes workspace memory and agent context files that may contain secrets, credentials, system prompts, operational notes, or other sensitive data. It also states that the sync log records the remote URL used, which can further expose repository locations and potentially embedded credentials if users follow unsafe URL practices.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The troubleshooting guidance suggests embedding a personal access token and using `GIT_ASKPASS=echo` with the token, which promotes insecure credential handling. This can leak tokens into shell history, process listings, logs, CI traces, or memory-sync audit entries, enabling credential theft and unauthorized repository access.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: When --push is used, the tool can transmit the synchronized memory archive to a remote repository without any explicit disclosure warning or confirmation at the point of action. Given that the skill is designed to collect MEMORY.md, AGENTS.md, SOUL.md, and memory/*.md, the data is likely sensitive by nature, making silent or lightly signaled outbound transfer especially risky.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill is expressly designed to collect broad sets of sensitive files such as MEMORY.md, AGENTS.md, SOUL.md, USER.md, TOOLS.md, and heartbeat/context documents, then archive and optionally push them to a git remote while preserving layout. In this context, broad archival is inherently dangerous because these files can contain system prompts, operational secrets, user data, internal instructions, and recovery context; centralizing and exporting them significantly increases confidentiality risk and blast radius.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal