Shared Memory

Security checks across malware telemetry and agentic risk

Overview

This is a real local shared-memory tool, but it stores and can overwrite team, project, and employee data without clear access controls or safety prompts.

Install only if you want a plaintext local shared-memory store under ~/.shared-memory and are comfortable with any local caller using the skill to read or change that data. Do not store secrets, private employee information, regulated data, or sensitive customer/project details. Treat visibleTo and similar fields as labels, not real privacy controls, and avoid restore/delete operations unless you have an external backup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill describes capabilities that imply filesystem persistence, backups, context loading, and future message-bot/session integrations, yet no explicit permissions are declared. That mismatch can cause the agent to access environment data or network-connected services without clear user consent or sandbox expectations, which is a real security boundary problem even if the author likely intended collaboration features rather than abuse.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The code advertises security features like access control, but every sensitive operation—read, write, update, delete, backup, and restore—is callable without any authentication or authorization checks. In a shared cross-team memory system, this means any caller can read sensitive collaboration data or modify and destroy records, creating both confidentiality and integrity risk.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The module includes system-wide delete and restore functionality that can remove or replace stored data across the shared memory store, yet these actions are exposed as ordinary methods and CLI commands with no privilege checks. In this context, a shared collaboration memory system becomes a single point of failure where any caller with access to the module can wipe active data or roll it back to stale state.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The backup and restore administration is broad and destructive relative to the skill's collaboration purpose, especially because restore clears existing directories and overwrites data from a selected backup. Without authorization, approval, or scope limitation, this administrative capability materially expands the blast radius of misuse or compromise.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README advertises cross-window, cross-session memory and backup capabilities but does not warn users that data may persist across sessions, teams, or backups. In a shared-memory skill, this omission can cause users to unknowingly store sensitive project, employee, or organizational data in a persistent store, increasing the risk of privacy leaks, unintended retention, and unsafe data sharing.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad, generic collaboration terms such as shared memory, knowledge base, project collaboration, and employee status, making accidental activation likely during ordinary conversation. In this skill's context, unintended activation is more dangerous because activation can lead to persistent writes, status tracking, and broad context sharing across teams and sessions.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill is explicitly designed for persistent storage of announcements, project data, knowledge, employee status, read history, audit logs, and backups, but it does not present clear user-facing warnings, consent, retention, or privacy boundaries. Because the storage is cross-team, cross-window, and cross-session, ordinary user inputs can be silently retained and exposed far beyond the original interaction, creating a substantial privacy and data leakage risk.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The restore path deletes current files and copies backup data in their place without any confirmation prompt, dry-run mode, or explicit warning in the code path. A mistaken or malicious invocation can therefore cause immediate large-scale data loss or rollback of collaboration state, which is especially dangerous for a shared memory store used across teams and sessions.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The integration section proposes automatically loading prior context for employees on startup and automatically recording task completions, issues, and lessons into shared memory across sessions. In a plain-language workflow, this creates a strong risk that sensitive user instructions, internal deliberations, credentials, business data, or personal information are propagated to unrelated agents or future sessions without contextual consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal