Back to skill

Security audit

Agent Memory Manager

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local memory skill, but it needs review because it persistently stores sensitive client, project, and trade history with broad automatic recall and no true deletion flow.

Install only if you intentionally want long-term local agent memory. Before using it with real clients, prospects, trades, or confidential business data, define what may be stored, avoid secrets and payment data, require confirmation for sensitive records, and add a real delete or anonymization process for removal requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill says contacts requesting deletion should be 'forgotten' but the documented behavior is to archive and flag them, which preserves personal data instead of erasing it. This creates a privacy and compliance risk because operators may believe deletion occurred while the data remains retrievable in archived storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes persistent storage of sensitive categories of data such as clients, trades, projects, and knowledge, and explicitly states that session context is loaded automatically across sessions, but provides no privacy, consent, retention, access control, or minimization guidance. In an agent skill, this can lead operators to store personal, confidential, or regulated data by default and have it silently reused later, increasing the risk of privacy violations, unauthorized disclosure, and unsafe downstream actions based on stale or overscoped memory.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The REMEMBER triggers are extremely broad ('after any client interaction', 'after any lesson learned', etc.), which can cause the agent to persist sensitive, irrelevant, or user-supplied data without adequate review. In a long-term memory skill, over-collection is especially risky because unintended writes become durable and may influence future decisions or leak through later retrievals.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The cross-skill firing rules allow other skills to automatically create or update persistent memory based on loosely defined events, without clear authorization, validation, or trust boundaries. This can let compromised, buggy, or prompt-injected upstream skills poison memory, store inappropriate data, or trigger cascading writes across domains.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill is designed to store persistent client, project, and interaction data across sessions, but it does not present a prominent upfront warning about retention, profiling, and privacy implications at the point of use. Because the stored examples include personally identifiable information and behavioral history, users may unknowingly enable long-term collection that exceeds expectations or policy.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool persists client, project, trade, and knowledge records directly to disk under /workspace/memory, and the code clearly stores potentially sensitive fields such as names, companies, emails, notes, and interaction history. In an agent skill that provides long-term memory across sessions, silent persistence increases privacy and data-handling risk because users or downstream operators may not realize confidential or personal data is being retained indefinitely in plaintext.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.