Back to skill

Security audit

Chatgpt Memory Extraction

Security checks across malware telemetry and agentic risk

Overview

This skill transparently turns a user-provided ChatGPT export into a local searchable memory archive, but the archive can contain very sensitive personal and third-party information.

Install only if you are comfortable creating a local plaintext archive of your ChatGPT history. Store the output in a private or encrypted folder, avoid cloud-sync or Git-tracked directories unless intentional, review and redact secrets or third-party details before sharing, and be especially careful before giving the generated archive to another AI assistant.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (9)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly encourages users to process years of ChatGPT export data into a searchable personal memory archive, including decisions, emotions, relationships, and learning history, but it does not clearly warn that this data may contain highly sensitive personal information. In this skill context, that omission is meaningful because users may underestimate the privacy exposure involved in having an agent deeply read, reorganize, and preserve intimate conversation history.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented output structure includes persistent raw conversation text, timeline files, people profiles, and topic summaries stored on disk, yet the README does not warn that these artifacts can become a concentrated repository of sensitive personal data. This increases risk in practice because the skill is specifically designed to create long-lived, searchable records that may be easier to exfiltrate, accidentally share, back up, or expose than the original export.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README encourages users to turn complete ChatGPT export data into a memory archive and explicitly suggests feeding that archive to AI assistants so the assistant 'truly knows you from day one.' ChatGPT exports commonly contain highly sensitive personal, medical, financial, relationship, and work information, so omitting a clear privacy warning and data-minimization guidance creates a real risk of oversharing sensitive data to additional AI systems or agents.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README encourages users to extract and reorganize full ChatGPT export data into local, human-readable memory files, but it does not prominently warn that these exports may contain extremely sensitive personal data and that the process creates additional copies on disk. This increases the risk of accidental disclosure through local compromise, backups, syncing services, or sharing of the generated archive, especially given the skill’s stated goal of making the data easier to feed into other AI systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is designed to process full ChatGPT export archives, which can include intimate conversations, credentials, health details, financial information, and third-party personal data, yet it provides no meaningful privacy warning about exposure, retention, or local file creation. This omission is dangerous because users may be encouraged to unpack and transform sensitive data into additional plaintext artifacts, expanding the attack surface and increasing the chance of accidental disclosure.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The spec explicitly directs the extractor to use the user's primary language without asking for preference or consent. For a skill handling highly personal archives, forcing inferred language can expose sensitive content in a language shared with family, coworkers, or local reviewers, and it removes a meaningful user-control/privacy choice.

Ssd 3

High
Confidence
97% confidence
Finding
The format mandates storing raw conversation texts plus structured summaries of people, emotions, life changes, and other sensitive details in plain-language files. This creates a concentrated privacy exposure: even if the original export was user-provided, the skill amplifies risk by reorganizing and duplicating sensitive material into easier-to-browse, easier-to-leak artifacts.

Ssd 3

High
Confidence
98% confidence
Finding
The timeline schema requires detailed capture of what the user said, what they learned, decisions, emotional state, life events, and notable direct quotes. In the context of ChatGPT export analysis, this is especially dangerous because the source material can span long periods and include intimate, health, relationship, financial, or crisis-related disclosures, turning the output into a highly sensitive dossier.

Ssd 3

High
Confidence
97% confidence
Finding
The people profile format aggregates identity, relationship, status, interactions, and the user's perception of named individuals into centralized profiles. This increases harm beyond the original chats by creating a searchable intelligence layer about third parties, including potentially defamatory, intimate, or identifying information that those individuals did not consent to have compiled.

VirusTotal

48/48 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.