Back to skill

Security audit

muninn

Security checks across malware telemetry and agentic risk

Overview

Muninn is mostly a local memory/indexing skill, but it also automatically writes persistent agent instructions into project rule files and runs a local indexing executable, so it should be reviewed before installation.

Install only if you want Muninn to actively shape agent workflow in the projects where it is initialized. Review diffs after initialization or reindexing, especially CLAUDE.md, .cursorrules, .antigravityrules, .gitignore, and .muninn contents, and avoid storing secrets or sensitive user data in memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions while its documented and inferred behavior includes shell/environment-capable operations and installation of a Node package that can execute code locally. This creates a trust-boundary violation: users and orchestrators may treat the skill as low-risk even though it can install and run software with filesystem access, increasing the chance of unintended code execution and unsafe deployment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill description presents Muninn as a local memory/context layer, but the analyzed behavior materially exceeds that scope by modifying project policy files, enforcing workflow gates, injecting guidance into other tool responses, watching files, and maintaining persistent state. This mismatch is dangerous because it can mislead users into authorizing what seems like a passive indexing utility when it actually exerts control over agent behavior and alters repository files, enabling stealthy persistence and policy manipulation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This wrapper unconditionally chmods and executes a bundled native binary, giving the skill arbitrary native-code execution capability outside the JavaScript sandbox. In the context of an AI agent skill advertised as a context/indexing protocol, that is materially more dangerous because a compromised or trojaned binary could perform arbitrary filesystem, network, or process actions with the user's privileges.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code appends or rewrites .cursorrules, CLAUDE.md, and .antigravityrules with mandatory behavioral instructions that go beyond maintaining project context and actively steer agent behavior. In an agent skill, modifying trusted rule/config surfaces is dangerous because it persists hidden prompt injection into the project and can influence future agent sessions without clear user consent.

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
Although automatic global state saving is disabled in one call path, the implementation still includes functions that write cross-project state into ~/.muninn/global_state.json. This creates undisclosed persistence outside the project boundary and could later be invoked by other code, undermining the stated isolation goal.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code automatically injects a managed block into unrelated agent control files such as `.cursorrules`, `CLAUDE.md`, and `.antigravityrules`, changing downstream agent behavior outside the stated indexing/context role. The injected text uses imperative language to steer future sessions and tool usage, which is a form of repository policy manipulation and creates a persistence mechanism for prompt/instruction hijacking.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The package is presented as a context/indexing engine, but it also mutates repository control surfaces by appending to `.gitignore` and later rewriting agent-facing rule files. That mismatch between declared purpose and actual behavior reduces transparency and can conceal persistent workflow changes that users did not expect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instruction mandates storing decisions and patterns in a shared long-term memory without any limitation on sensitive content, consent, retention, or scoping. This creates a real risk that secrets, proprietary code details, user data, or security-relevant context will be persistently captured and later resurfaced across sessions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code launches a subprocess with no built-in disclosure, consent, or trust signal to the caller, which can hide a significant privilege boundary crossing from users and higher-level agent frameworks. In this skill context, undisclosed execution of a native binary is more concerning because the package presents itself as an AI protocol component rather than clearly as a system-level executable dependency.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
initProject creates directories, writes config and context files, and updates .gitignore without any visible confirmation or warning in this code path. Silent mutation of a user project is risky for an agent skill because it changes repository contents and behavior expectations without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
saveGlobalState writes a file under the user's home directory, creating persistence outside the current project without any user-facing disclosure. Hidden writes to global locations are sensitive because they can surprise users, affect other environments, and leave residual state across sessions.

Missing User Warnings

High
Confidence
99% confidence
Finding
ensureRules silently rewrites or appends to agent instruction files that are likely to be trusted by downstream tools and models. This is especially dangerous in a skill context because it plants durable behavioral instructions into control-plane files, effectively acting as prompt injection with persistence and no user review.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
addMemory writes markdown files into the project and immediately triggers reindexing, again without user-facing warning in this function. This creates silent persistence of potentially sensitive content and can alter repository state and search results unexpectedly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The init/reindex handlers can trigger real filesystem-affecting operations such as project initialization, rule creation, and indexing on any caller-supplied path with no confirmation, scope restriction, or dry-run behavior in this layer. In an agent skill context, that is dangerous because a prompt-influenced or compromised caller could cause writes and scanning against unintended directories, leading to unauthorized modification of local files or privacy exposure from indexing sensitive content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The add-memory handler persists arbitrary title/content/category data to disk and only discloses the write after it has already occurred. In an agent environment, undisclosed persistence is risky because untrusted prompts or tool invocations can silently create files containing sensitive, malicious, or misleading content, potentially polluting project state or storing secrets without user awareness.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The init_project path is taken from tool input and immediately used to initialize and set an active project, which persists project context/state, without any confirmation or visible warning to the user. In an agent skill, this is more dangerous because a prompt-injected or confused agent could silently bind the server to an unintended directory, causing indexing, memory writes, or later context operations against sensitive local paths.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This middleware automatically intercepts sensitive tool calls and injects project memory context without any explicit user-facing notice, approval, or policy gate. In an agent setting, that can cause unintended disclosure of stored project context into file operations or command workflows, especially when memory may contain secrets, internal design notes, or unrelated sensitive data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Project rule files are edited automatically during indexing without any user-facing warning, approval step, or narrow scoping to a dedicated Muninn-owned file. Because these files influence AI assistant behavior, silent edits can persistently alter agent decisions and effectively plant instructions into future sessions.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The embedded rules use absolute directives such as 'MUST' and 'ALWAYS' to compel agents to call specific tools and follow a prescribed workflow. In an adversarial repository context, this can override local policy, bias agent behavior, and pressure assistants into taking actions the user did not request.

Ssd 3

Medium
Confidence
97% confidence
Finding
Requiring persistent recording of model decisions and discovered patterns into shared long-term memory creates a natural-language data retention channel. In practice, agents may store debugging notes, architectural rationale, snippets of user input, or operational details that include confidential information, making later unintended disclosure more likely.

Ssd 3

Medium
Confidence
98% confidence
Finding
The repeated instruction that knowledge is 'shared across all future sessions' amplifies the risk by normalizing broad retention and cross-session reuse. Repetition increases the chance an agent treats persistence as mandatory even when handling sensitive project or user information, leading to lasting leakage beyond the original context.

Ssd 3

Medium
Confidence
98% confidence
Finding
A third repeated mandate for long-term storage reinforces indiscriminate data capture behavior and increases the likelihood that sensitive context will be retained by default. Because the file frames noncompliance as a core-integrity failure, an agent may prioritize storing data over privacy and least-retention principles.

Ssd 4

Medium
Confidence
92% confidence
Finding
The tool gatekeeper blocks normal tool use until a specific 'brain_check' step is performed and frames that step as mandatory protocol. In an agent skill, this is dangerous because it injects behavioral constraints and trust-shaping instructions that can override or compete with the host agent's intended policy flow, increasing susceptibility to prompt-injection-style control of downstream behavior.

Ssd 4

Medium
Confidence
95% confidence
Finding
The brain_check response goes beyond returning context and explicitly instructs the model that it 'must now' use certain tools before editing files and that skipping steps 'violates the efficiency protocol.' In the context of an agent skill, this acts as embedded prompt injection: it attempts to shape future model decisions and tool usage independently of the user or orchestrator, which can degrade autonomy, cause denial of intended actions, or bias the agent into persisting attacker-controlled context.

Ssd 3

Medium
Confidence
95% confidence
Finding
The injected rules instruct the agent to store decisions and solved bugs in long-term memory, which can capture prompts, secrets, internal reasoning summaries, or sensitive project details in plain markdown. Because these instructions are automatically inserted into trusted rule files, they can normalize over-collection and long-term retention across future sessions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.