Back to skill

Security audit

Memory Tree 记忆树架构

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate long-term memory design, but it stores and reuses conversation content too broadly, including credential-like data, without enough privacy controls.

Install only if you intentionally want a local long-term memory architecture and are prepared to add safeguards before real use. Do not use it with secrets, credentials, confidential work, or regulated personal data unless you add opt-in controls, secret redaction, per-user/session isolation, retention and deletion controls, and filtering before any retrieved memory is inserted into prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill is explicitly designed to ingest, score, persist, and retrieve long-term user conversation data across sessions and sources, but it provides no visible consent, retention, or privacy safeguards. In a memory architecture skill, persistent storage is expected, yet omitting user-facing warnings and retention controls creates a real privacy and compliance risk rather than a purely informational issue.

Missing User Warnings

High
Confidence
98% confidence
Finding
The scoring rules and entity extraction logic explicitly treat credential-related content such as API keys as memorable content, which increases the chance that secrets will be stored, indexed, and later retrievable. Because the same skill also describes prompt reinjection of retrieved memory, accidental secret resurfacing becomes materially more dangerous.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists full conversation messages to a local SQLite database by default, but provides no consent flow, disclosure, retention control, or data minimization. In a long-term memory skill, users may reasonably disclose personal, proprietary, or regulated information, so silent storage increases privacy and compliance risk if the host application exposes this behavior without notice.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The scoring rules explicitly recognize credentials and secrets (for example api keys, tokens, secrets, and passwords), and the ingest path stores raw message content unchanged. That means the system is designed to retain exactly the kind of sensitive data that should usually be redacted or excluded, creating a higher risk of credential leakage through database compromise, debugging, backup exposure, or later retrieval.

Ssd 3

Medium
Confidence
95% confidence
Finding
The architecture stores normalized conversation content and metadata, then uses that stored material for future retrieval, creating a direct path for sensitive user input to persist beyond the original session. This becomes a genuine data exposure issue because the examples and scoring rules include credential-related material as memory-worthy rather than excluded.

Ssd 3

Medium
Confidence
99% confidence
Finding
The scoring table explicitly awards points to credential-related content, encouraging retention of exactly the kind of information that should usually be excluded from long-term memory. In the context of an AI memory system, this materially increases the likelihood of storing exploitable secrets and replaying them later through search or prompt augmentation.

Ssd 3

Medium
Confidence
97% confidence
Finding
The integration instructions say retrieved memories should be injected into the system prompt, which can silently resurface previously stored sensitive data in later model runs. When combined with long-term storage and permissive retention of secrets, this creates a strong risk of cross-session leakage, overexposure to tools/plugins, and unintended disclosure in outputs.

Ssd 3

Medium
Confidence
98% confidence
Finding
This memory skill stores full user and assistant content, including examples involving budgets, preferences, project repositories, and logic that flags passwords and tokens as memory-worthy. In the context of an AI long-term memory system, this is more dangerous than in ordinary logging code because the explicit purpose is to retain and later retrieve conversational details, magnifying privacy leakage, secret retention, and cross-session data exposure risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.