Remember When Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local chat archivist, but it needs Review because it stores sensitive chat/media content persistently and contradicts its local-only privacy claim by instructing agents to use external enrichment searches.

Install only if you intentionally want an agent that can monitor chats, summarize and retain memories, copy media, maintain a local archive, and potentially enrich entries using external search tools. Restrict folder access, require confirmation before archiving or backfilling, disable heartbeat scanning or enrichment if you need local-only behavior, and review the separate remember-when CLI before granting shell access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill's security statement claims it is purely local and does not contact external servers, but later instructions explicitly direct the agent to perform weather, news, and historical searches using its own tools. This creates a misleading trust boundary: users and operators may enable the skill believing no external disclosure occurs, while the agent may actually send group-derived context to external services.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: This is a direct contradiction between the privacy statement and the operational instructions. In a skill that archives conversations and media, false claims of 'no external servers' materially increase privacy risk because users may share sensitive content under incorrect assumptions about data flow.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The README describes broad 'monitor conversations' and 'persist memorable content' behavior without defining clear scope, consent, or triggering conditions. In an agent skill, this ambiguity can cause over-collection of private chat data and media, especially if an operator assumes the skill only acts on explicit user requests.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README promotes storing chat logs, photos, videos, and audio to local storage but does not warn users that potentially sensitive conversation content and media will be retained on disk. This creates a significant privacy and compliance risk because operators may enable the skill without understanding that it performs durable collection of personal or confidential data.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: Telling the agent to archive 'remember-worthy' content without precise criteria creates overly broad activation conditions. In practice, this can cause the agent to persist sensitive or private messages that users did not intend to store, especially in group-chat contexts.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The instruction to act proactively on any detected 'valuable information' is too open-ended for a persistence-capable agent. Broad triggers increase the chance of unintended archival of personal data, confidential discussions, or media that was merely observed rather than consented for storage.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: Defaulting 'archive this' to the last active group introduces context confusion and risks writing content into the wrong conversation's archive. In multi-chat or fast-switching environments, this can cause privacy breaches, misattribution, and persistent storage of data under the wrong group metadata.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to monitor conversations and persist content locally without requiring per-item consent. Because the content may include personal messages, photos, videos, and relationship context, this creates a substantial privacy risk and can normalize unauthorized retention of sensitive data.

Ssd 3

High

Confidence: 97% confidence
Finding: Using the last active conversation as default context and archiving autonomously on vague 'valuable information' combines implicit context retention with automatic persistence. This materially raises the chance of unauthorized or mis-scoped storage, especially when the agent observes multiple conversations or handles mixed personal and group content.

Ssd 3

High

Confidence: 96% confidence
Finding: The maintenance loop directs the agent to re-read group history and synthesize prior days' events to fill gaps. That expands processing beyond immediate user requests into retrospective analysis of potentially sensitive conversations, increasing surveillance and retention risk without fresh consent.

Ssd 3

High

Confidence: 97% confidence
Finding: The internal configuration guidance grants persistent storage access and instructs the agent to scan inbound media directories proactively. This expands the agent's effective surveillance surface from active chat text to filesystem-monitored media, increasing the chance of collecting and storing files users did not intend to archive.

Session Persistence

Medium

Category: Rogue Agent
Content: #### 3. Real-time Archiving When a memory is detected: 1. **Summarize**: Create a rich, 1-sentence summary. 2. **Identify**: Extract the sender and group name. 3. **Pre-flight**: Verify group context exists (step 2 above). 4. **Execute**: Call `remember-when add`.
Confidence: 74% confidence
Finding: Create a rich, 1-sentence summary. 2. **Identify**: Extract the sender and group name. 3. **Pre-flight**: Verify group context exists (step 2 above). 4. **Execute**: Call `remember-when add`. `rememb

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal