Memory Inhabit

Security checks across malware telemetry and agentic risk

Overview

This is a broad but disclosed roleplay persona skill that stores local chat/diary data and can use external image or voice services, with no artifact evidence of hidden theft or destructive behavior.

Install only if you are comfortable with a roleplay skill that keeps local conversation and diary-style memory. Use a dedicated MiniMax API key, avoid sending sensitive personal details in image or voice prompts, review local persona memory files periodically, and back up chat history before running the cleanup helper.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (44)

Tainted flow: 'req' from os.environ.get (line 263, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: req = urllib.request.Request(url) try: with urllib.request.urlopen(req, timeout=30) as resp: with open(save_path, "wb") as out: out.write(resp.read()) except urllib.error.HTTPError as e:
Confidence: 88% confidence
Finding: with urllib.request.urlopen(req, timeout=30) as resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation describes capabilities that imply shell execution, filesystem read/write, environment-variable access, and network use, yet no permissions are declared. This creates a transparency and containment failure: operators and users cannot accurately assess what the skill may access, and a host platform may overgrant or fail to enforce least privilege.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The manifest presents the skill as a roleplay/persona loader, but the documented behavior extends into proactive messaging, persistent memory handling, diary storage, media generation, external API use, agent export, and cleanup tooling. That mismatch can mislead users and reviewers into authorizing a much more powerful skill than intended, increasing privacy and abuse risk.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The visible description focuses on loading SoulPod packages and chatting as a character, while the body also documents image generation and TTS. This is a genuine disclosure issue because users may engage the skill without realizing their prompts can trigger media generation and external processing.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: External image generation via MiniMax sends user-derived prompts and character descriptors to a third-party service, which is broader than the stated core purpose of loading a SoulPod for chat. In context, this is dangerous mainly as a privacy and expectation failure rather than direct code execution, but it still expands external data exposure.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The TTS feature can synthesize and optionally auto-send voice messages, which materially changes the skill from passive chat to media generation and possibly external text processing. This creates privacy and consent concerns, especially where message content or persona context may be transmitted to external providers without clear notice.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The uninstall flow irreversibly deletes persona conversation history files, which can contain sensitive user data, despite the skill being described primarily as loading SoulPod packages for persona chat. In this context, silent deletion of memory/history is risky because it can destroy user data beyond what a user may reasonably expect from a cleanup helper.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The script enumerates all cron jobs and removes named jobs via an external CLI, functionality that is broader and more privileged than the manifest's stated persona-chat purpose. In a skill ecosystem, unnecessary scheduler management increases risk because it touches persistence mechanisms and could interfere with automation if names or assumptions change.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script assembles a deployable system prompt by inlining profile fields, raw memories, and long-term memory text into a standalone agent prompt. That materially increases data exposure and persistence risk because sensitive persona content is converted into reusable plain text that can be copied, logged, exported, or reused outside the original SoulPod context.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The file implements a hidden local diary subsystem that stores and later exposes 'private' inner-thought content, which is materially broader than the declared skill purpose of loading SoulPod packages for in-character dialogue. Capability/scope mismatch is dangerous because reviewers and users may not expect local persistence and latent disclosure behavior, reducing informed consent and making privacy-relevant features harder to audit.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: This script persistently stores diary entries framed as hidden thoughts derived from conversations, then provides retrieval of leaked fragments. Even though storage is local, the feature creates a privacy-sensitive memory channel not clearly justified by the stated roleplay purpose, and it can transform user interactions into secret derived content later surfaced back to the user or another local actor.

Context-Inappropriate Capability

Medium

Confidence: 73% confidence
Finding: The script performs outbound API calls and downloads remote files, which materially expands the skill's attack surface and data exposure compared with a purely conversational persona loader. In this context, the mismatch matters because users may not expect third-party transmission of prompts and persona-linked images, increasing privacy and supply-chain risk.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill persists chat content via save_message even though the stated description emphasizes loading personas for dialogue, not storing conversation history. This creates a privacy and data-retention risk because sensitive user messages may be written to disk without clear disclosure, consent, retention limits, or access controls.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The script sends user-supplied text to a third-party cloud TTS API and performs behavior outside the stated manifest purpose of loading SoulPod packages and chatting in-character. In a skill ecosystem, capability drift matters because users and hosts may not expect outbound transmission or cloud processing of conversation content, creating privacy and trust risks.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The code reads a third-party API credential from the environment even though the declared skill purpose does not justify credentialed external service use. While not exfiltrating the secret directly, accessing ambient credentials expands the skill's trust boundary and can surprise users or hosts that rely on the manifest for permission expectations.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation phrases are short, natural-language commands such as '和XX说话' and '进入XX模式', which can plausibly appear in ordinary conversation or quoted text. In a persona skill that changes the assistant's behavioral mode, accidental activation can unexpectedly alter responses, bypass user expectations, and increase the chance of unintended persona-driven outputs.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The deactivation phrases like '回到正常模式' and '不聊了' are vague and conversational, so they may be triggered by routine dialogue rather than an intentional command. Because this skill controls mode switching for immersive roleplay, accidental deactivation can disrupt sessions or be abused by another participant in shared-context conversations to terminate the persona unexpectedly.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The README states that private diary content and traces are generated and stored at runtime, but it does not clearly explain retention, access boundaries, sensitivity, or consent expectations. In a companion/persona skill handling intimate conversations, diary-like memory storage can capture highly personal content, creating privacy and surveillance risks if users do not understand what is being saved.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The image-generation documentation indicates prompts are sent through MiniMax using an external API key, but it does not warn that character data, appearance details, and user-supplied scene text may be transmitted to a third party. Because this skill packages detailed persona profiles and potentially intimate companion interactions, prompt data may reveal sensitive preferences or personal context beyond what users expect.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The TTS section describes sending text to external providers such as MiniMax and possibly Edge-based services, but it does not explicitly warn that conversation content may leave the local environment. In a roleplay/companion setting, spoken-text requests can include emotionally sensitive or identifying content, making undisclosed third-party transmission a meaningful privacy issue.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: Activation phrases such as '和XX说话' or '进入XX模式' are broad and can plausibly appear in ordinary conversation, causing accidental mode switching. In a skill with persistence, proactive behavior, and media features, unintended activation can expose data or trigger actions the user did not mean to authorize.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: A deactivation phrase like '不聊了' is common natural language and may be uttered in-role or as part of a normal exchange, leading to unintended shutdown or state changes. Ambiguous state transitions are risky because they make consent and feature boundaries unreliable.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill documents creation of private diary files from user interactions and local conversation history, but does not present a clear user-facing warning or consent flow for that storage. Because the diary captures inferred, unspoken thoughts tied to a persona and interaction history, it increases sensitivity and privacy risk beyond ordinary chat logging.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The image-generation section notes a required API key but lacks a clear warning that prompts and character data are sent to an external service. Users may unknowingly expose personal or sensitive conversational context through generated scene requests.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The TTS section does not clearly warn that text may be sent to external providers, even though provider switching and MiniMax use are documented. This omission undermines informed consent, especially if generated voice messages include private relational or diary-adjacent content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal