Back to skill

Security audit

local_memory

Security checks across malware telemetry and agentic risk

Overview

This skill appears local-only and purpose-built for memory, but it automatically reads, stores, and reinjects conversation content across all chats with limited real user control.

Install only if you intentionally want automatic local memory across all conversations. Review stored memories regularly, avoid sharing secrets or credentials while it is enabled, and consider modifying the skill to add opt-in controls, per-chat scoping, memory preview before injection, and confirmation before deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function claims to extract memories from a conversation, but it concatenates both the user message and the assistant reply and persists matches from either. This can store model-generated or prompt-injected assistant content as durable memory, enabling self-reinforcing false facts, memory poisoning, and persistence of sensitive/generated content that the user never intended to save.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The test script inserts what appears to be a real public server IP address and SSH port into persistent memory during a local-memory functionality test. Even if this is only demo data, embedding sensitive-looking infrastructure details in test code encourages unsafe handling of secrets and can leak operational information through logs, screenshots, repositories, or downstream memory stores.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill declares a global auto-trigger that enables memory processing for every conversation without any per-session consent or scope limitation. This can cause unintended collection and use of sensitive conversational data, especially when users do not realize the feature is always active.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation promotes automatic extraction and injection of memories from conversations but does not clearly warn users that their chats may be continuously processed and stored locally. Even if storage is local, silent retention of potentially sensitive data creates privacy and confidentiality risks, including accidental persistence of credentials, health information, or private project details.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Automatic extraction is enabled by default and conversation-derived content is saved to long-term memory without any disclosure, consent, or visible control in this code path. In an agent context, that creates privacy and compliance risk because users may unknowingly have personal, sensitive, or regulated information retained for later use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code automatically injects retrieved memory content into future conversation context when auto_inject is enabled, without any apparent consent gate, preview, or minimization. This can expose previously stored sensitive data in unrelated interactions and increases prompt-injection and privacy leakage risk because stored content is silently reintroduced into model context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The deletion routine removes memories based on embedding similarity above a threshold with no confirmation step, dry run, or user-visible review of what will be deleted. This can cause unintended destructive deletion when semantically similar but important memories match the query, leading to integrity and availability issues for stored user data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code automatically extracts and stores memories from every completed conversation whenever both `user_message` and `assistant_reply` are present, with no consent check, notice, opt-in, or filtering visible in this file. In a memory skill, this makes the issue more dangerous because users are likely to share personal or sensitive information during normal use, which can then be retained and later injected back into prompts or exposed via recall/list commands.

Vague Triggers

High
Confidence
95% confidence
Finding
The manifest registers a message trigger with pattern ".*" and high priority, so the skill runs on every message without any scope constraints. In a memory-management skill that automatically extracts and injects conversation content, this creates broad access to all user messages, increasing privacy exposure, unintended data collection, and the chance of interfering with unrelated conversations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script not only stores sensitive-looking server connection details but also searches and prints them back to stdout without masking or any warning. In an agent or skill context, stdout may be captured in logs, CI output, chat transcripts, or telemetry, turning a local test into an information disclosure path.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.