Memory Vector v2.1 (多层知识库)

Security checks across malware telemetry and agentic risk

Overview

This memory skill is purpose-aligned, but it can send raw memory logs and search queries to configured services and persist sensitive details without clear consent safeguards.

Install only after reviewing the scripts and accepting that memory logs, search queries, embeddings, API endpoint config, and personal profile details may be stored locally and sent to configured services. Prefer local-only endpoints, avoid using it with secrets or sensitive conversations, and remove API keys from persisted config before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation claims sensitive information such as API keys and tokens are automatically filtered and not stored, but elsewhere the skill explicitly categorizes tool and environment-variable content into TOOLS.md for persistence. This creates a misleading security guarantee that can cause users or operators to trust the system with secrets that may be summarized, synced, or retained in memory artifacts and vector storage.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script reads workspace memory logs and transmits their contents to configurable embedding and LLM endpoints over the network. Those logs can contain personal, confidential, or security-sensitive data, and the code performs this transfer by default without prior minimization, allowlisting, or explicit user consent, creating a clear exfiltration risk.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The code ingests API credentials from environment variables and later persists the entire CONFIG object into the memories database, which includes API URLs, models, and potentially API keys. Storing secrets alongside ordinary application data materially increases the chance of credential disclosure through file access, backup leakage, or later processing of the database.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: Although the script defines a sensitive-content filter, it invokes LLM and embedding analysis on the raw file content before any filtering is applied. This creates a direct privacy and secret-leak path to remote services while giving a misleading impression that sensitive data is protected.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill describes reading conversation logs, distilling them with an LLM, storing them in persistent knowledge-base files, and writing embeddings to a vector database, but it does not present a clear user-facing warning or consent model for this retention. In practice, users may disclose personal data, preferences, or sensitive operational details without understanding that the data will be persistently stored, synchronized across files, and made searchable.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends conversation content to external services without any user-facing warning, confirmation, or policy gate. In a memory-distillation context, users are likely to expect local processing of personal notes, so silent transmission of dialogue materially raises privacy and trust risks.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The initialized memories object includes config: CONFIG, and that object is later serialized to memories.json. Because CONFIG contains API keys from environment variables, the skill can write sensitive credentials to disk without warning, exposing them to other tools, users, or backups.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script sends the user's raw search query to a configurable embedding endpoint, which may be a local or remote service, without any consent prompt, warning, or privacy notice. Because the tool is explicitly used to search a memory store containing potentially sensitive personal or work information, queries themselves can disclose confidential intent or data to an external service controlled via environment variables.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The prompt explicitly instructs the LLM to extract and preserve salient details from dialogue into durable memory artifacts. In this skill's context, that promotes retention of personal or sensitive user information and expands the privacy impact of any downstream exposure or misuse.

Ssd 3

High

Confidence: 98% confidence
Finding: The generated MEMORY.md explicitly consolidates durable personal profile data, including children's ages, household details, and a specific commute/location pattern. Centralizing this information in a predictable summary file increases sensitivity, discoverability, and the potential harm from unauthorized access.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal