Back to skill

Security audit

Awareness Cloud Memory

Security checks across malware telemetry and agentic risk

Overview

This cloud-memory skill mostly does what it says, but it automatically sends prompts and session context to a remote service and persists credentials in shell profiles with weak scoping and cleanup.

Install only if you intentionally want a cloud memory service to receive prompts, search queries, memory records, task/session metadata, and recalled context automatically. Prefer local mode or a narrowly scoped memory for sensitive work, avoid entering secrets or regulated/customer data, review and remove shell profile exports if needed, and do not rely on --logout alone to clean up credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes Node scripts that necessarily access environment variables and remote services, but the manifest does not declare corresponding permissions or clearly surface those capabilities as security-relevant behavior. This creates a transparency and consent problem: users may enable a skill that can transmit prompt-derived memory to an external service and read sensitive environment-backed credentials without an explicit permission boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond a simple memory skill: it includes browser-based authentication, credential storage, shell profile modification, remote memory management, and agent-prompt retrieval. Even if these features are functional, the mismatch between declared purpose and actual capabilities is dangerous because users may not understand that installing the skill can persist credentials and alter their shell environment in addition to syncing memory to a third-party service.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup flow states that it writes API credentials and memory identifiers into the user's shell profile, but this persistence behavior is not prominently disclosed as a sensitive side effect of installation. Writing secrets into startup files can widen exposure to other local processes, future shells, backups, dotfile sync tools, or accidental sharing, especially when users expect only memory recall/query features.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The hook builds an XML-like block and escapes many fields, but it inserts `r.content` from recalled memory directly into `<result>` without any escaping or sanitization. Because this output is injected as model-facing context before each request, a malicious or poisoned memory entry can break the intended structure and inject prompt instructions or forged tags, creating a persistent cross-session prompt-injection channel.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The setup script persistently modifies the user's shell profile to export API credentials on every future shell startup. That is a real security concern because it expands the skill's scope from local config storage into host configuration changes and increases credential exposure to other local processes, shell history/workflows, backups, and accidental disclosure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill says it automatically recalls context before each prompt and saves checkpoints after each response, but it does not clearly warn that potentially sensitive prompt content, decisions, code, and task context may be transmitted to a cloud service automatically. In a memory skill, this context makes the issue more dangerous because the feature is specifically designed to collect and persist cross-session data, increasing the chance of unintentional exfiltration of secrets, proprietary code, or regulated data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup instructions encourage one-click configuration but omit a clear warning that credentials will be written into shell profile files for future sessions. This is dangerous because users may unknowingly persist secrets in broadly loaded startup files, creating long-lived credential exposure and surprising system modification during installation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This hook automatically transmits session-linked metadata to a remote endpoint (`/mcp/events`) after responses, including a persistent `session_id`, optional `agent_role`, `memory_id`, and tool usage context, with no indication in this file of user consent, notice, or opt-in gating. In a memory skill whose purpose is persistent cross-session recall, this behavior increases privacy and tracking risk because even sparse metadata can reveal activity patterns and link sessions across time.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code sends the full user prompt and derived keywords to external memory APIs (`/retrieve`) automatically on each request. In a skill explicitly described as persistent cloud memory, this behavior is expected, but it still creates a real privacy and data-exposure risk because sensitive prompts, secrets, proprietary code, or personal data may be transmitted off-box without an in-file consent gate or minimization step.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
In batch mode, the script reads arbitrary steps from stdin and optionally includes a user_id, then posts them to a remote endpoint without any inline disclosure, confirmation, or consent check. Because this skill is explicitly designed for persistent cloud memory across sessions, users or downstream agents may unknowingly transmit sensitive operational history, making the lack of disclosure a real privacy and data-handling vulnerability.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
In --with-insights mode, the script sends content, structured insights, optional user_id, and arbitrary metadata to the remote API, with metadata merged directly into the request body. This expands the risk surface beyond plain text and can expose sensitive summaries, inferred conclusions, or unintended fields to the cloud service without clear disclosure to the operator.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
In single-record mode, free-form user-provided content and optional identifiers are sent to a remote endpoint as persistent memory entries without an explicit warning at the point of use. In the context of a memory skill that automatically stores past decisions, code, and tasks, this is especially risky because operators may paste secrets, internal code, or personal data assuming local processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code sends the user's search query and, optionally, a user_id to a remote memory service via apiPost without any notice, consent prompt, or minimization in this file. Because this skill's purpose is persistent cross-session cloud memory, queries may contain sensitive prior context, code, tasks, or identifiers, so silent transmission increases privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/setup.js:61

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/shared.js:15