org-memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill is mostly purpose-aligned, but it needs review because it can persist and reload user-related notes across sessions and has weak file scoping for some write tools.

Install only if you want the agent to keep long-term org-based memory. Use a trusted org CLI binary, avoid saving secrets or sensitive personal data, review and prune the memory directory, and prefer an updated version that validates file paths so write tools cannot leave the configured memory workspace.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill description frames the feature as simple persistence of agent memory, but the actual behavior expands to automatic session-start loading, search, read access, task management, and graph manipulation across a persistent workspace. That mismatch matters because users may consent to storage without realizing the skill also performs broad retrieval and automatic context injection, increasing privacy and prompt-surface risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to persist its own knowledge, observations, and graph-structured information about the user or their work into a dedicated workspace, but it does not pair that with a clear consent, retention, or sensitivity warning. This creates a real privacy risk because users may not understand that durable profiles and relationship graphs are being built outside transient session context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Automatically loading memory.org and recent daily notes into every new session creates silent cross-session data exposure. Even if the content was originally stored for continuity, injecting it without a clear warning or gating mechanism can surface stale, sensitive, or irrelevant personal/work information in later interactions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The before_agent_start hook reads memory.org plus today/yesterday daily notes and injects their raw contents into the model context automatically. That creates a real confidentiality risk because previously stored sensitive information is exposed to the agent on every session without any consent, scoping, or redaction control visible in this file.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The plugin exposes many mutation tools that persist notes, todos, state changes, and appended facts into long-lived storage, but this file shows no user confirmation, approval gate, or prominent disclosure at write time. In a memory plugin, silent persistence is security-relevant because an agent can retain sensitive user data or operational details beyond the current conversation, increasing privacy and prompt-injection persistence risks.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The skill encourages building detailed persistent knowledge about the user, their preferences, projects, stakeholders, and system history in the agent's own workspace. In context, that is more dangerous than ordinary note-taking because it centralizes behavioral and relationship data into a durable knowledge graph that can outlive user expectations and broaden privacy impact if misused or exposed.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The session-start hook automatically injects persistent memory and recent notes into future sessions, effectively turning prior stored observations into always-available context. This can amplify privacy harm, increase prompt-injection surface from persisted content, and cause unintended reuse of sensitive data across unrelated tasks.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The injected instructions explicitly encourage the agent to store ambient facts about the user and to keep working notes and permanent knowledge in the org workspace, while the plugin also preloads prior memory into context. That combination creates a durable data-retention channel where sensitive user information can be accumulated and later surfaced to the model, even when unrelated to the current request.

Session Persistence

Medium

Category: Rogue Agent
Content: **`memory.org`** — your permanent memory. Curated, concise, always loaded at session start. Contains who the user is, active projects, lessons learned, conventions, and anything needed every session. Keep it tight — move detail into entity nodes and keep memory.org as a summary with links. **`daily/YYYY-MM-DD.org`** — raw daily logs. What happened, decisions made, ambient facts captured, things learned. Working notes, not curated. Write freely. **Entity nodes** (`roam/*.org`) — structured roam nodes for people, projects, concepts. Tagged, linked, and queryable on demand.
Confidence: 93% confidence
Finding: Write freely. **Entity nodes** (`roam/*.org`) — structured roam nodes for people, projects, concepts. Tagged, linked, and queryable on demand. ## Session start routine The `org-memory` plugin's `be

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal