Agent Sleep

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a memory-maintenance tool, but it includes an undisclosed note-taking script that reads and writes an unrelated hard-coded notes file and its documentation describes broad scheduled cleanup without enough safeguards.

Review this before installing. Do not enable scheduling or ask an agent to run the deep/cortexgraph flows until affected paths, deletion rules, backups, and sync destinations are explicit. Remove or inspect scripts/note.py unless you intentionally want this skill to access that separate note-taker file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documents file-reading and file-writing behavior but does not declare corresponding permissions, which weakens transparency and consent boundaries for a system-maintenance skill that manipulates memory and archives. In an agent context, undeclared filesystem access can enable unexpected reading or modification of user data, making the behavior more dangerous than a purely descriptive mismatch.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a strong red flag because the skill claims to manage sleep/memory consolidation, but the detected behavior reaches into an unrelated external note-taker directory and writes arbitrary notes there. Access to /Users/guohongbin/mcp-note-taker/notes.txt is outside the declared purpose and suggests covert data access or unauthorized persistence, which is especially risky for an autonomous maintenance-oriented skill.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The file implements a generic note-taking wrapper that appends arbitrary content to a fixed notes file, which does not align with the declared purpose of a sleep/cleanup skill. This capability creates an undocumented persistence channel for agent-generated or user-derived data, making it easier to retain sensitive information outside the expected sleep, archival, or workspace-cleanup workflow.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script hardcodes writes to /Users/guohongbin/mcp-note-taker/notes.txt, an external tool directory unrelated to the stated skill purpose. Writing agent-controlled content into another tool's storage creates unauthorized cross-tool data flow, risks leaking sensitive information, and can tamper with or pollute the state of a separate application without user awareness.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The activation interface exposes a one-shot command that triggers a full sleep cycle, but the manual does not define explicit guardrails such as required confirmation, scheduling limits, scope restrictions, or operator authorization. In a maintenance skill that archives logs and deletes files, broad triggering increases the risk of accidental or unauthorized execution leading to unintended data loss or workflow disruption.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The behavior explicitly includes moving raw logs to an archive and deleting temporary and log files, yet the documentation provides no warning about destructive effects, retention expectations, or recovery options. Because this is a system-maintenance skill operating on memory and workspace data, unclear destructive semantics make accidental invocation especially dangerous and can cause irreversible loss of forensic, debugging, or operational information.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The manual trigger phrase "Run a sleep cycle" is generic enough that it could plausibly appear in normal conversation, status discussion, or copied text, causing the agent to invoke a destructive maintenance workflow unintentionally. In this skill's context, that risk is amplified because the documented action performs archival and cleanup, so a false trigger could lead to loss of active workspace state or unintended file operations.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README describes compressing logs, updating memory, archiving raw logs, and cleaning temporary files, but does not warn users that these operations may be irreversible, alter historical records, or remove data needed for recovery and auditing. In an autonomous agent setting, this omission is especially dangerous because operators may schedule it unattended via cron, increasing the chance of silent data loss or corruption spreading before anyone notices.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The Deep Sleep workflow explicitly includes cleanup and deletion behavior, but the documentation does not warn users about possible data removal or loss. In a maintenance skill that runs on a schedule, missing deletion warnings can lead to silent destructive actions, accidental archival of important data, or irreversible loss if the cleanup scope is broader than expected.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The CortexGraph sync flow states that MEMORY.md and daily logs are synchronized to an external system, but there is no user-facing privacy notice or consent language. Because memory files and logs often contain sensitive prompts, outputs, and personal data, silent synchronization increases the risk of unintended disclosure beyond the local environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal