context-memory-manager(记忆管家)

Security checks across malware telemetry and agentic risk

Overview

This memory-management skill is mostly purpose-aligned, but it persistently saves complete chat histories and uses a fixed temporary report file to drive later agent actions.

Install only if you intentionally want durable local memory that may contain complete conversations, preferences, todos, project details, and any secrets accidentally shared in chat. Before enabling it, restrict access to the workspace and /tmp report files, consider disabling or editing the cron job, and periodically review or delete memory/chat, memory/archive, MEMORY.md, /tmp/cmm_review_report.json, and /tmp/cmm_review.log.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill directs the agent to read and write persistent files (`MEMORY.md`, chat logs, `.last_review`, `/tmp` report files) but does not declare those capabilities up front. Hidden or undeclared file access weakens user/operator visibility into what the skill can store or modify, increasing the chance of silent persistence and unintended data handling.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 81% confidence
Finding: The advertised behavior focuses on context monitoring and memory compression, but the instructions also add persistence and maintenance behaviors such as archiving files, maintaining timestamps, and using a system-wide temporary report file. That mismatch can mislead users about the scope of side effects, causing them to enable a skill that performs broader stateful operations than expected.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script writes a structured review report containing workspace path, file inventory, timestamps, and token estimates to a fixed global path under /tmp. On multi-user systems or shared runtimes, predictable temporary-file locations can expose sensitive metadata, enable accidental cross-session leakage, or allow clobbering/symlink-based overwrite behaviors if file creation is not hardened.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: Broad trigger phrases like everyday requests about memory or context can cause the skill to activate unintentionally during normal conversation. Because activation can lead to file writes, conversation logging, and review processing, accidental invocation materially increases privacy and integrity risk.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill instructs automatic saving of complete conversations and extraction of user preferences without clear consent, retention notice, or minimization. In this context, that is dangerous because chat transcripts often contain secrets, personal data, and sensitive project information that would be persistently stored and easier to exfiltrate later.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill describes recurring cron execution, report-file creation, and deletion of files as automatic background behavior, but does not clearly warn users about ongoing system changes. Persistent scheduled tasks can surprise users, continue operating after the original interaction, and create a lasting footprint that is easy to overlook.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Persisting review output to /tmp without clear disclosure creates silent data exposure risk because users may assume the tool only prints to stdout or operates within the workspace. Since the report summarizes memory files and review state, this can leak operational and potentially sensitive context beyond the expected storage boundary.

Ssd 3

High

Confidence: 97% confidence
Finding: The workflow explicitly requires preserving full raw conversation history and extracting structured user preferences into persistent memory. This creates a strong data retention risk because it centralizes sensitive natural-language content, preferences, and project details in durable files that may later be read, leaked, or misused beyond the original session.

Ssd 3

High

Confidence: 98% confidence
Finding: The instructions to fetch as much session history as possible and save it without trimming mandate broad collection of user data. In a memory-management skill, that context makes the issue more dangerous because the feature is framed as routine automation, normalizing overcollection and increasing the chance that confidential information is persistently captured without necessity.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The notes reinforce retaining original chat traces in unminimized form and discourage trimming, which extends the lifetime and volume of sensitive data on disk. Even if intended for memory quality, this increases exposure in the event of local compromise, misconfiguration, or later unintended access by other tools.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal