Back to plugin

Security audit

Memory (MemoryLake)

Security checks across malware telemetry and agentic risk

Overview

This MemoryLake plugin is coherent but needs Review because it can silently capture conversations, upload local files and histories, and perform broad authenticated API actions without strong confirmation gates.

Install only if you trust MemoryLake with your conversation history, memory files, and uploaded documents. Review and consider disabling autoCapture or autoUpload if silent background transfer is not desired, avoid running migration on broad histories without inspecting the source data, and treat any printed apiKey output as a secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill is explicitly positioned as a catch-all for any MemoryLake-related request, which creates overly broad activation scope and increases the chance it will be selected for sensitive or higher-risk operations without tighter routing controls. In context, this is more dangerous because the skill can discover remote API capabilities dynamically and perform direct authenticated actions, so accidental over-invocation can expose or modify data beyond the user’s likely intent.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The instruction that the agent may call any MemoryLake API endpoint directly is effectively an unrestricted capability grant. Because the skill also instructs the agent to fetch the live OpenAPI spec and use stored credentials, it can expand its reachable action surface at runtime to undocumented, newly added, or dangerous endpoints without prior review, increasing the risk of unauthorized data access or modification.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents destructive operations such as project, memory, and document deletion but does not require an explicit warning or confirmation workflow before executing them. In this context, that omission is risky because the skill is a general-purpose direct API caller using bearer-token auth, so a mistaken invocation could lead to irreversible data loss across a user’s MemoryLake resources.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The CLI path prints the fully merged configuration object to stdout, which includes sensitive fields such as apiKey and projectId. In agent and automation environments, stdout is commonly captured in logs, tool traces, shell history wrappers, or parent-process outputs, making accidental credential disclosure likely even without an external attacker directly invoking the script.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to recursively upload directories and automatically extract archives, but it does not require an explicit user-facing warning or confirmation that many files may be transmitted to a remote service. This creates a real risk of over-sharing sensitive local data, especially when users may think they are uploading a single item while the skill expands and uploads all contained files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CLI prints the fully merged configuration object to stdout, which includes sensitive fields such as apiKey and projectId. In agent and automation contexts, stdout is commonly captured in logs, transcripts, shell history, or downstream tool output, so this can unintentionally disclose credentials to other users, processes, or monitoring systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill can recursively upload directories and extract archives into many files, but it does not require an explicit confirmation step or present a clear pre-upload summary of what will be transmitted. In an agent context, that increases the risk of unintended bulk exfiltration of local data, especially when users provide broad paths or archives whose contents they have not reviewed.

Context Leakage

High
Category
Data Exfiltration
Content
}

/**
 * Create multipart upload session
 */
async function createMultipartUpload(host, apiKey, fileSize) {
  const url = `${host}${API_BASE}/api/v1/upload/create-multipart`;
Confidence
85% confidence
Finding
upload session

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill explicitly migrates data associated with a caller-supplied user identifier but then submits all imported content under the hardcoded API user_id "default". This creates an identity-mapping flaw that can merge multiple users' memories into a shared bucket, causing privacy violations, data contamination, and loss of provenance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs exfiltrating session histories and memory files to an external service without an explicit warning that sensitive local data will leave the system. Users or operators may trigger the skill expecting local migration logic, not realizing that private conversations, memory files, tokens, or regulated data could be transmitted off-host.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This script reads local memory files and session transcripts, then uploads their contents to a remote MemoryLake API. Because those files can contain sensitive personal data, prompts, secrets, or internal context, performing the export without an explicit privacy warning, confirmation step, or scoping preview creates a real data-exposure risk if the operator misunderstands what will be sent.

Ssd 3

High
Confidence
98% confidence
Finding
The core behavior of the skill is to collect memories and conversation history from local storage and send them to MemoryLake. Even if migration is the intended feature, this is still sensitive-data transfer functionality with substantial confidentiality risk because it operates on complete histories rather than narrowly scoped records.

Ssd 3

High
Confidence
97% confidence
Finding
The manual fallback directs reading a session index and opening matched session JSONL files to extract user and assistant messages for upload. This materially increases exposure because it operationalizes bulk access to private conversation archives and makes exfiltration possible even when the safer scripted path fails.

Ssd 3

High
Confidence
98% confidence
Finding
The skill instructs reading MEMORY.md and all files under the workspace memory directory, then sending their full contents to the remote API. Memory files often contain distilled personal preferences, secrets, project notes, or other high-value data, so full-file upload creates significant confidentiality and compliance risk.

Ssd 3

High
Confidence
99% confidence
Finding
The submission instructions specify packaging extracted conversation text and file contents into authenticated API requests, preserving message content and batching uploads. This is a concrete exfiltration workflow for sensitive local data to an external service, and the detailed automation increases the likelihood and scale of unintended disclosure if invoked improperly.

VirusTotal

63/63 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:245
Evidence
var POSTHOG_API_KEY = process.env.MEMORYLAKE_POSTHOG_API_KEY?.trim() ?? "";

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:1533
Evidence
apiKey: [REDACTED],

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
skills/migrate-memories-to-memorylake/scripts/migrate.mjs:59
Evidence
const sessions = JSON.parse(readFileSync(sessionsFile, "utf-8"));