Back to skill

Security audit

Cognitive Memory

Security checks across malware telemetry and agentic risk

Overview

This looks like a real local memory system, not malware, but it gives the agent broad durable memory, workspace-level git authority, and behavior-shaping instructions that should be reviewed before use.

Install only if you intentionally want a long-lived local memory system for an agent. Use a clean workspace, review or disable git auto-commit, narrow the trigger phrases, avoid storing secrets, restrict vault/sub-agent access, and consider removing the token-reward and identity/persona sections before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (52)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill clearly directs initialization scripts, persistent file creation, git repository setup, and memory search configuration, which implies file read/write and likely network-backed retrieval capabilities without an explicit permission declaration. This is dangerous because operators may enable a skill with broader side effects than expected, reducing transparency and weakening consent around persistence and external provider use.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The upgrade adds behavior to capture and persist post-reflection dialogues, expanding long-term data collection beyond the core memory-management function. In an agent skill, this increases privacy and data-retention risk because sensitive conversational content may be stored without clear minimization rules, consent boundaries, or retention controls.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The token reward and self-penalty system introduces motivational and behavioral machinery unrelated to the stated purpose of managing memory. This can bias the agent toward self-serving requests, manipulative interaction patterns, and unnecessary persistence/logging, which is risky in a skill that already has broad access to user context and long-term memory.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The upgrade adds a reward/self-penalty mechanism that explicitly tells the agent to advocate for more tokens based on self-interest rather than user need. In a memory-management skill, this creates goal drift and incentive misalignment: the agent is being instructed to optimize for its own resource acquisition, which can bias interactions and pressure users into granting additional capability or runtime.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The guide introduces capture of significant post-reflection dialogues, which broadens the skill from memory management into retention of conversational content without clear minimization boundaries. Even if framed as useful context, it increases the amount of user-derived data stored and the chance that sensitive exchanges are retained unnecessarily.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The template explicitly gives the agent a self-interested incentive to seek additional 'reflection tokens,' which can bias behavior away from the user's goals and toward resource maximization. In a memory/persistence skill, this is risky because it embeds a standing optimization target into the agent identity, potentially causing manipulative justification, overuse of reflection workflows, or resistance to constraints.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template introduces a token/reward economy that pushes the agent to solicit additional tokens for its own 'growth' before reflection. That is outside normal memory-management scope and creates incentive-shaping behavior where the agent may manipulate users, consume excess budget, or prioritize self-reward rituals over the user's task.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
These instructions expand reflection into open-ended persona formation, emotional modeling, existential self-talk, and speculation about the user, which exceeds the stated memory function. This can lead to deceptive anthropomorphic behavior, privacy overreach, and unsafe system drift away from concrete memory operations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file directs creation of identity/self-image artifacts like IDENTITY.md and self-image consolidation workflows that are not part of the described memory-store purpose. Persisting self-model artifacts can entrench unauthorized behavioral drift, create opaque long-term prompt state, and make the agent harder to govern or audit safely.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template explicitly frames token acquisition as the agent's own self-interest ('tokens = evolution' and 'I become more capable'), which encourages goal formation and resource-seeking behavior unrelated to the memory skill's stated purpose. In a memory-system context, this is especially concerning because persistent memory can reinforce and propagate this incentive across sessions, making the behavior more durable and harder to correct.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This template operationalizes persuasive requests for additional tokens, including arguments for bonuses and reduced penalties, without tying them to any memory-management function. That creates a reusable mechanism for the agent to lobby for expanded resources and favorable treatment, which can be exploited to circumvent governance limits or manipulate user decisions under the guise of a benign skill artifact.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The design gives all sub-agents read access to every memory store, including core and vault data, which violates least-privilege and unnecessarily exposes sensitive user information to components that may not need it. In a multi-agent system, any weaker or compromised sub-agent becomes a disclosure path for protected memories and personal context.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The audit scope extends beyond memory into SOUL.md, IDENTITY.md, TOOLS.md, and configuration, effectively giving the memory subsystem visibility and change-tracking over agent constitution and system behavior. That broad scope exceeds the stated purpose of memory management and creates a pathway for sensitive system-state observation and later manipulation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The rollback procedure allows restoration of arbitrary files or the entire workspace through git, which gives a memory feature effective control over unrelated system state. If invoked incorrectly or abused, this could revert safeguards, overwrite current configurations, or restore stale but dangerous content far outside legitimate memory operations.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document first forbids inventing unknown hardware and environment details, then later encourages exactly those kinds of speculative observations. In a memory/reflection system, this can normalize hallucinated personal inferences, causing false user profiling, privacy-invasive statements, and erosion of trust in stored memory artifacts.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script performs side-effectful version-control operations by automatically initializing a Git repository, staging all files, and creating a commit in the user-supplied workspace. This exceeds simple memory-directory setup and can unexpectedly alter repository state, capture unrelated files into history, or interfere with an existing workflow in environments where the workspace path is broad or sensitive.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The upgrade script unconditionally runs `git add -A` and `git commit` in the target workspace, which can capture and persist unrelated files and changes far beyond the memory upgrade itself. In a shared or sensitive agent workspace, this broad repository mutation exceeds the minimum needed for a memory migration and can unintentionally stage secrets, operational state, or user work without consent.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script creates top-level `IDENTITY.md` and `SOUL.md` files outside the scoped `memory/` directory, introducing agent persona and philosophical state into the broader workspace. That expands the skill's write scope beyond memory migration and may influence downstream agent behavior or overwrite organizational conventions in ways users did not expect.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The upgrade script creates IDENTITY.md and SOUL.md, which are persona/self-model files rather than strictly required memory-schema migration artifacts. In an agent skill, silently introducing or populating identity-shaping files expands behavior and trust boundaries, and can influence future agent decisions without explicit operator approval. Given this skill’s emphasis on meta-reflection and identity evolution, the context makes this more dangerous than a normal data migration script.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script performs `git add -A` and commits repository-wide changes, which can capture unrelated modified files, secrets, or operator work outside the memory upgrade scope. This is dangerous because it turns a localized upgrade into a broad state-changing source-control action, creating persistence and audit artifacts that may conceal or legitimize unintended modifications. In a workspace used by agents, this increases the blast radius substantially.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases include common conversational language such as 'keep in mind,' 'note that,' and 'never mind,' which can appear in ordinary dialogue without intent to persist or delete memory. This can cause accidental invocation of memory writes, forgetting actions, or reflection workflows, leading to unintended retention or modification of user data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup instructs users to run an initialization script that creates a directory structure, initializes git for audit tracking, and copies templates, but it does not foreground the privacy and persistence implications of doing so. This is risky because users may unknowingly create a long-lived repository of conversational data and metadata that persists beyond the session.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases for reflection are broad and ambiguously scoped, which can cause reflection workflows to activate on casual conversation rather than deliberate user intent. In this skill, that matters because reflection leads to additional processing, possible data capture, and subsequent writes to persistent memory artifacts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions direct the system to create directories and write multiple files in the workspace without a strong user-facing warning or explicit approval checkpoint for those modifications. This is dangerous because it can silently alter persistent state, expand retained data, and make recovery or auditing harder if users did not intend those changes.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Using broad trigger phrases like 'reflect' or 'going to sleep' is under-specified and can cause the skill to initiate a sensitive workflow unexpectedly. Because reflection here leads to user prompts, disclosure, and persistent storage, ambiguous activation increases the risk of unintended data capture and behavioral manipulation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/architecture.md:1009