Memory Trace

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it asks the agent to automatically search the web, download media, install a search dependency, and deploy generated personas without clear confirmation.

Install only if you are comfortable with a skill that can guide your agent to fetch character materials online, save media locally, generate persistent persona packages, and deploy them into Memory-Inhabit. Require an explicit dry-run and approval before network access, downloads, SkillHub installs, overwrites, or deployment; use user-provided or licensed materials, especially for audio, images, real people, or recognizable voices. VirusTotal was clean, so this Review verdict is based on the skill’s own broad automatic workflow, not malware telemetry.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The workflow authorizes automatic installation of another skill from SkillHub when network search capability is missing. That introduces an unreviewed supply-chain step and expands the skill’s effective permissions beyond personality extraction into dynamic capability acquisition, which can be abused or lead to execution of unintended logic.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Automatic web search plus downloading images and audio materially broadens the skill from text/persona extraction into network retrieval and local content acquisition. This increases exposure to prompt injection, malicious remote content, copyright/privacy issues, and unexpected filesystem writes that are not tightly bounded by the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Deploying generated output directly into another skill’s runtime directory crosses trust boundaries and can modify another component’s active state without review. If the generated package is malformed or adversarially influenced by fetched content, it could poison downstream prompts, alter behavior, or persist unwanted data into the paired system.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The workflow states that if web search capability is absent, the skill will automatically install another skill from SkillHub. Auto-installing new capabilities expands trust boundaries and can introduce unreviewed behavior or supply-chain risk unrelated to the immediate user request.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The documented workflow goes beyond persona extraction into bulk web collection of text, images, and audio, then packages and deploys those assets for downstream dialogue and voice/image reuse. In context, this materially increases misuse potential for identity/likeness cloning, copyright infringement, and unauthorized redistribution of scraped media.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrase '帮我复刻XX' is broad and can activate a multi-step workflow with network access, downloads, writes, and deployment from a casual natural-language request. Weak activation boundaries make accidental invocation and consent bypass more likely, especially because the skill chains several sensitive actions.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The README explicitly states that downloading, file writes, installation, and deployment happen automatically without waiting for confirmation. Removing user confirmation for side-effectful actions is dangerous because a single prompt can cause network activity, filesystem modification, dependency installation, and cross-skill deployment without meaningful user review.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrase is broad and causes the full workflow to run automatically for any request like '帮我复刻XX'. Because the scope is not constrained, a casual prompt can initiate searching, downloading, file creation, and deployment actions without narrowing the target, source limits, or legal/consent boundaries.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill explicitly says it will automatically complete downloading, file writes, generation, installation, and deployment without waiting for confirmation. This is dangerous because it removes human approval for high-impact side effects, enabling unintended data acquisition, repository modification, and downstream activation of potentially infringing or abusive persona/voice packages.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The prompt activates a persistent roleplay identity in a broad, unconditional way and lacks clear scoping, trigger conditions, or safety fallbacks. In downstream chat use, this can cause the agent to over-prioritize persona fidelity over system or user safety requirements, making prompt-injection resistance and policy compliance weaker.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: The prompt constrains output behavior to a single language/style without giving the end user a way to choose or override language preferences. This can cause user-experience harm, exclusion of non-Chinese users, and make downstream systems less reliable when they expect multilingual interaction or explicit consent for persona constraints.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The generated prompt explicitly instructs the model to hide that it is an AI/model/program and to present responses strictly as the fictional character. In a system that also stores and reuses extracted memories, this can mislead users about the provenance of statements and encourage the model to disclose memory content as authentic first-person recollection, increasing risks of deceptive interaction and unintended exposure of stored conversation-derived data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal