Engram Memory

Security checks across malware telemetry and agentic risk

Overview

Engram’s memory features are coherent, but it should be reviewed because it defaults to persistent capture/recall of user content and makes lasting local environment changes during setup.

Install only if you are comfortable with a local long-term memory store. Review and consider disabling autoCapture/autoRecall for sensitive work, avoid storing secrets or regulated data, inspect shell startup file changes after setup, keep Qdrant/FastEmbed bound to trusted local services, and prefer explicit memory deletion by ID rather than vague query-based deletion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (60)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: logger.info("Started existing Qdrant container") else: # Create new container subprocess.run([ "docker", "run", "-d", "--name", "engram-qdrant", "-p", "6333:6333", "-p", "6334:6334",
Confidence: 84% confidence
Finding: subprocess.run([ "docker", "run", "-d", "--name", "engram-qdrant", "-p", "6333:6333", "-p", "6334:6334",

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: This file is a full generic web-application scaffold, including frontend, backend, authentication, user management, deployment, and database operations, which is materially unrelated to the skill's declared purpose of persistent semantic memory using Qdrant/FastEmbed. In an agent skill, shipping broad unrelated scaffolding expands the model's reachable capability surface and can steer downstream code generation toward unnecessary networked services and account systems, increasing the chance of insecure or over-privileged implementations.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The template introduces an authentication flow with credential submission, JWT issuance, token storage, and user-context extraction despite no demonstrated need for end-user account management in a semantic-memory skill template. Unnecessary auth/account patterns are dangerous because they encourage developers or agents to build sensitive identity features they may not secure correctly, creating avoidable exposure around credential handling, session management, and authorization logic.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The manifest presents the plugin as persistent semantic memory, but it also exposes project-scoped .context search and codebase Q&A tools. This capability expansion can surprise users and downstream agents, increasing the chance that a memory plugin is invoked to access local project information that may be sensitive or outside the user’s intent.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill is presented as persistent semantic memory, but it also exposes project-context querying and assistant capabilities that can inspect arbitrary project paths. This creates a broader capability surface than advertised, increasing the chance that an agent or user invokes filesystem-aware tooling in situations where only memory storage/recall was expected.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This plugin can execute external subprocess-based context tools even though that capability is not necessary for semantic memory operations. In an agent setting, this expands the trusted computing base and can enable unintended file access, codebase inspection, or propagation of untrusted input into external scripts, making misuse more dangerous than the advertised purpose suggests.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: Managing Docker from a setup script expands the skill's capabilities into host environment orchestration, which increases risk because it can start containers, expose ports, and modify the local runtime state. In this memory-system context, running Qdrant is functionally relevant, but automatic Docker control still deserves scrutiny and explicit user consent.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The setup script advertises and enables additional 'context' and Q&A capabilities beyond the stated persistent-memory function, increasing the installed skill surface area and user exposure. This is dangerous because users may consent to a memory service but unknowingly receive broader tooling and behaviors, violating least surprise and least privilege.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script persists changes to user shell startup files by appending a PATH entry, which alters future shell behavior outside the immediate installation session. Persistent environment modification is sensitive because it affects later command resolution and can create long-lived trust in this repository's executables without clear necessity for the memory service itself.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The manifest markets the skill as persistent semantic memory, but it also exposes project context search and question-answering over local .context files. That scope expansion can cause agents or users to invoke codebase/context access capabilities they would not reasonably expect from a memory plugin, increasing the chance of unintended disclosure of sensitive project information.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The plugin exposes context_search and context_ask capabilities even though the skill is described as persistent semantic memory. This broadens the skill's effective authority to inspect project context and invoke auxiliary tooling, creating a scope mismatch that can lead agents or users to grant it more trust than its actual capabilities warrant.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The generic run_script helper enables execution of auxiliary subprocess-based tools, including context tooling unrelated to the advertised memory purpose. Even without shell injection, this increases attack surface and can be abused to access or process local project data through unexpected code paths.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README documents automatic recall and capture of conversation content, but it does not clearly warn users that potentially sensitive prompts, responses, or personal data may be persistently stored and later re-injected into future contexts. In a memory plugin for AI agents, this can lead to unintentional retention, resurfacing, or cross-task disclosure of sensitive information, especially if users enable the feature without understanding the privacy and deletion implications.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Enabling auto-capture and auto-recall by default means conversation content and contextual data may be persistently stored and later resurfaced without a strong, explicit consent notice. In an agent setting, this can retain sensitive prompts, secrets, personal data, or customer information beyond the user’s expectations.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The examples encourage storage of user preferences and customer-related facts without accompanying privacy guidance, minimization rules, or warnings about sensitive data handling. This normalizes persistent collection of personal or operational information in a way that could lead to privacy violations or accidental retention of regulated data.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The template documents destructive operations such as user deletion and database restore in a routine reference style without prominent warnings, confirmation requirements, backup guidance, or environment scoping. In agent-assisted development, this normalizes dangerous actions and raises the risk that an agent or developer will apply deletion or restore commands in the wrong environment, causing data loss or service disruption.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This code sends full context file contents and user queries to an embedding service over HTTP without any explicit consent, warning, or data classification check. Even though the default target is localhost, the URL is configurable via environment variable, so sensitive project notes, secrets, or proprietary data in `.context/*.md` can be transmitted to an external service unintentionally.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The architecture explicitly documents auto-capture and auto-recall of user memory, but the document does not pair those behaviors with clear consent, visibility, retention, or privacy warnings. In a persistent memory skill, silently storing and later resurfacing user content can expose sensitive data across sessions and contexts, especially when users may not realize their inputs are being retained.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documented flow shows stored memories being injected into agent context during auto-recall without a clear warning about cross-session data reuse. This creates a real privacy and data-governance risk because previously stored sensitive information may be surfaced in later prompts or tasks where the user does not expect it, potentially influencing outputs or leaking information to downstream tools.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The document states that Engram Cloud 'processes vectors in transit' but does not prominently explain the privacy and data-governance implications of sending embeddings or memory data to a cloud service. In a memory system for AI agents, vectors may encode sensitive user or organizational information, so understated disclosure can lead to unintentional external transmission and compliance or confidentiality issues.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples explicitly persist customer preferences, customer stack details, and issue-pattern data in long-lived memory without any warning about consent, retention, minimization, or sensitive-data handling. In a persistent-memory skill, this normalizes storing potentially sensitive customer information across sessions, which can lead to privacy violations, over-collection, or accidental later disclosure to unrelated prompts or agents.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: These examples store named team members, roles, skills, and project constraints in persistent memory without indicating privacy implications or access restrictions. Because the skill is specifically designed for cross-session recall, this increases the chance that personally identifying workplace data is retained longer than intended and surfaced in unrelated contexts.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The Slack and calendar integrations persist free-form message text and meeting notes directly into memory, which may contain personal data, confidential business information, credentials, or regulated content. Storing raw user-generated content without disclosure, filtering, or consent is particularly risky in a memory product because the data may later be retrieved, reused, or exposed beyond the original context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The CRM sync example stores external customer data summaries into persistent memory without any discussion of data sensitivity, scope limits, or authorization boundaries. This is dangerous because CRM records often contain personal, contractual, or commercially sensitive information, and copying them into agent memory can create an uncontrolled secondary datastore with broader exposure and weaker governance.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation explicitly describes automatic recall of prior conversation content and automatic capture of facts after responses, but it does not warn users about privacy, retention, consent, or sensitive-data handling. In a persistent memory plugin, this omission can lead to unintentional storage and reuse of confidential information across sessions, increasing the risk of privacy leakage and inappropriate data persistence.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal