Back to skill

Security audit

Perstate

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Git-backed memory skill, but it gives agents broad ability to persist conversation-derived content, sync it remotely, mutate local Git/config state, and open rendered repository content without strong consent or safety boundaries.

Install only if you intentionally want an agent to maintain a durable Git-backed memory repository. Use a dedicated private repo, review what is saved before commits, avoid storing secrets or personal/confidential data, be cautious with system-prompt repo/branch hints, and avoid opening graph views from untrusted or shared repositories until Markdown rendering is sanitized.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (15)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill’s public description emphasizes a knowledge-graph memory tool, but the body also authorizes side effects beyond ordinary memory operations: opening a browser automatically and initializing arbitrary local paths as Git repositories. That mismatch matters because users and calling agents may not expect local application launch or repository mutation during setup/view flows, increasing the chance of unintended actions on user systems or files.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script treats any non-URL repo value as a local filesystem path and, if it is not already a Git repository, creates the directory, runs git init inside it, writes a README, and changes receive.denyCurrentBranch. In an agent context, this exceeds simple perstate setup and can modify arbitrary user-specified directories, creating unintended repositories and altering Git behavior on existing local repos.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly promotes saving knowledge by scanning conversation context and then automatically pushing that state to a remote git repository. In an agent skill, this creates a real privacy and data-exfiltration risk because users or upstream prompts may contain secrets, credentials, personal data, or proprietary context that could be persisted and synchronized without informed consent or data minimization.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README tells operators to configure agents to skip confirmation for repository and branch binding via system prompt directives. That reduces user awareness around configuration changes that determine where memory is stored, increasing the chance of silent persistence to the wrong repository or branch and making accidental cross-session data leakage more likely.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The quick reference includes hard-delete commands such as rm and rm -rf against entity paths without adjacent warnings about irreversibility or validation of placeholders. In a skill intended for agents, terse destructive examples can be copied or parameterized unsafely, causing accidental data loss or deletion outside the intended scope if variables are malformed.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases include common words like 'remember', 'recall', 'memory', and 'persist', which are likely to appear in ordinary conversation without the user intending to invoke a persistence tool. This can cause accidental activation of search or save behaviors, leading to unexpected repository access or storage of conversation-derived content.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger timing guidance says to search before answering related questions and to save after producing 'high-dimensional insights,' but those criteria are subjective and broad. In practice this enables autonomous invocation without clear user intent, which raises the risk of silent data retrieval or persistence based on normal conversation flow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The command list presents `/perstate save` as a memory feature but does not clearly warn that it can create, modify, delete, commit, and push repository content. That omission can mislead users into authorizing what seems like harmless note-taking when the actual behavior includes durable file and Git history changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script modifies ~/.perstate/config.yml by appending or in-place editing session-to-branch bindings without any explicit confirmation or clear user-facing notice at the time of change. Because this skill provides persistent memory/state for agents, silent mutation of user configuration can unexpectedly redirect future sessions to different branches or repositories, making integrity and auditability of stored state weaker.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This script takes repository-controlled Markdown/frontmatter content, converts it to HTML in the browser via marked.parse, assigns it directly to innerHTML, and then automatically opens the generated file. If the repository contains malicious Markdown or embedded HTML/script payloads, opening the visualization can execute active content in the user's browser and potentially exfiltrate local data reachable by the page, perform credential phishing, or abuse browser trust in local files/CDN-loaded scripts.

Ssd 3

Medium
Confidence
94% confidence
Finding
Automatic capture of conversation-derived knowledge into persistent memory is inherently risky in an agent setting because natural-language context often includes secrets, internal instructions, personal information, and customer data. Persisting this material creates long-lived retention and broadens exposure through future retrieval, branch sharing, and remote synchronization.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill is designed to persist conversation-derived knowledge and later recall it, but it defines no sensitivity boundaries, exclusion rules, or consent requirements for personal, confidential, or secret data. Because memory is stored in a Git-backed repository, accidental capture can become durable, searchable, and potentially synchronized to remote infrastructure.

Ssd 3

Medium
Confidence
97% confidence
Finding
The write flow tells the agent to extract entities, relations, and insights broadly from conversation content, which creates a direct path for sensitive user-provided information to be transformed into structured memory files. This is especially risky because the process includes deduplication, merging, and commit steps that make retention durable and easier to rediscover later.

Ssd 3

Medium
Confidence
98% confidence
Finding
The trigger guidance encourages automatic saving after the agent generates substantive insights, even if the user did not explicitly ask to persist them. That makes silent retention likely and increases the chance that confidential user context, business logic, or personal information is stored without informed consent.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| Create entity | `mkdir -p entities/<id>` + write entity.md |
| Create relation | `mkdir -p entities/<from>/<type>` + write `<to>.md` |
| Delete relation (hard) | `rm entities/<from>/<type>/<to>.md` |
| Delete entity | `rm -rf entities/<id>/` + `find entities/ -name "<id>.md" -delete` |
| Create worktree | `git worktree add <repo-dir>/<branch> <branch>` |
| Remove worktree | `git worktree remove <repo-dir>/<branch>` |
| Prune stale worktrees | `git worktree prune` |
Confidence
81% confidence
Finding
rm -rf entities/<id>/` + `find entities/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
README.md:134