Memory Sync Enhanced

Security checks across malware telemetry and agentic risk

Overview

This skill is a local memory-association tracker whose persistence and deletion-related behavior are mostly disclosed and aligned with its purpose.

Install only if you want a local memory graph that stores associations on disk. Avoid storing secrets in memories, review or delete ~/.config/cortexgraph/co_occurrence.db as needed, and do not run missing helper scripts such as sync or gc commands unless you inspect them first and have a backup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The documented `./scripts/gc.sh --threshold 0.1` command performs deletion of low-scoring memories but is presented without any warning, confirmation step, or backup guidance. In a memory-management/system skill context, this can cause unintended irreversible data loss if a user runs the command assuming it is routine maintenance.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The skill persistently stores co-occurrence relationships in a local SQLite database under the user's home directory without any visible consent, disclosure, retention policy, or access-control hardening. In a memory system, these associations can reveal sensitive behavioral or semantic links between memories, so silent persistence increases privacy risk and potential exposure if the local environment is shared or later compromised.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal