Back to skill

Security audit

Hippocampus

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed persistent memory skill, but it needs Review because it can repeatedly process conversation history, retain sensitive personal memories, and generate a dashboard that may expose local data.

Install only if you intentionally want durable agent memory of your conversations. Start without --with-cron and without --whole until you understand the data being processed; inspect memory/index.json, pending-memories.json, HIPPOCAMPUS_CORE.md, brain-events.jsonl, and brain-dashboard.html; avoid putting secrets in conversations; keep IDENTITY.md avatar paths limited to intended image files inside the workspace; and know how to remove the cron jobs and delete stored memories before enabling background operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (41)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises executable installation and operational scripts, file access, environment-variable usage, and shell commands, but does not declare any permissions or clearly scope those capabilities. This creates a trust and review gap: users may install a skill that can read/write workspace data and invoke shell operations without explicit informed consent or policy gating.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose frames the skill as a memory system, but the described behavior extends into broad transcript ingestion, dashboard generation, cross-skill data aggregation, identity/avatar reading, cron installation, event logging, and LLM-driven summarization workflows. That mismatch materially increases risk because operators may approve it for memory functions without realizing it performs wider surveillance, persistence, and UI/data aggregation activities.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script advertised as performing memory-score decay also invokes separate scripts for syncing and dashboard generation, which expands its side effects beyond the stated purpose. In an agent skill context, chaining extra executable components increases attack surface because those downstream scripts may read, write, index, or expose additional workspace data when decay is run automatically or on a schedule.

Intent-Code Divergence

Low
Confidence
76% confidence
Finding
The comment claims only 'core memories' are synced, but this script does not enforce any such constraint before invoking sync-core.sh. That mismatch is risky because operators may trust the comment and run the script in sensitive environments, while the called script could process broader data than implied.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The generated HTML imports Google Fonts from an external domain, causing viewers of the dashboard to make network requests that disclose metadata such as IP address, access timing, and potentially the existence of this dashboard artifact. For a local dashboard displaying sensitive memory and emotional state data, adding undisclosed third-party network dependency increases privacy risk and weakens offline trust assumptions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The architecture explicitly describes a background agent that continuously monitors conversations and maintains persistent memory, but it does not describe any clear user consent, privacy notice, retention policy, or controls over what is stored. This creates a real privacy and data-governance risk because sensitive user content may be captured and retained without informed authorization.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file structure and integration sections describe periodic writes to memory/index.json and related domain files, but there is no explicit warning or safeguard around persistent modification of user-derived data. In context, this means the system can silently accumulate durable records of conversations, increasing privacy exposure and the chance of unauthorized or excessive retention.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The configuration explicitly sets up a background agent to monitor the main session, silently process conversation history, and modify persistent memory files without user-visible notice or consent controls. In a memory skill this behavior is functionally aligned with the feature, but it still creates a real privacy and integrity risk because sensitive user content may be collected, retained, and transformed outside the active interaction loop.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly advertises background extraction of conversation signals, LLM summarization, and persistent storage, but it does not clearly warn users that potentially sensitive conversation content may be automatically processed and retained. In a memory skill, that omission is security-relevant because users may enable it without realizing private data will be continuously distilled and stored beyond the original session.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installation instructions encourage use of --with-cron and whole-history processing without a clear warning that this enables recurring unattended processing and modification of memory state. That can surprise users by causing continuous ingestion of conversations and ongoing changes to stored memories after installation, increasing privacy and integrity risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill persistently captures conversation-derived memories, including user facts and emotional content, and can schedule recurring processing via cron, yet the user-facing description does not present a clear warning about this retention. Without explicit notice, users may reveal sensitive personal information under the assumption it is ephemeral, when it is actually being stored and reprocessed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to overwrite the entire persistent memory index, which modifies stored user-related data without any confirmation, validation, rollback, or user-visible notice. In a memory-management skill this behavior is functionally intended, but it is still risky because malformed input, logic errors, or prompt-injected signals could cause silent corruption, deletion, or inappropriate retention of sensitive memories.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly directs the agent to save `memory/index.json` containing conversation-derived memories, including potentially personal or sensitive details, without any consent, notice, retention limits, or access controls. Persisting user-derived memory to disk by default creates a privacy and data-governance risk because sensitive information can outlive the session and be exposed, repurposed, or mishandled later.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly instructs the agent to delete or remove memory content based on its own judgment, but it provides no requirement for user confirmation, backup, retention policy, or review safeguards. In a persistent memory system, this can lead to irreversible loss of user-related context, preferences, or history, especially because the deletion criteria are subjective terms like 'routine' or 'no longer relevant'.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt explicitly instructs the agent to write introspective content into persistent memory files without any notice, consent check, or boundary around when file modification is appropriate. In a persistent-memory skill, this can cause silent retention of sensitive or misleading self-reflective content, creating privacy, integrity, and behavioral-manipulation risks over time.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt explicitly instructs the agent to write changes to `memory/index.json` without any requirement to notify the user, request consent, or disclose that persistent state is being modified. In a memory skill, silent persistence of conversation-derived data is a real security and privacy issue because users may not realize their data is being stored or altered beyond the current session.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The proactive recall triggers are broad enough to activate on common conversational situations such as project work, references to the past, similar situations, or emotional topics. In a persistent-memory skill, this can cause unnecessary retrieval of stored user or relationship data, increasing the chance of over-collection, privacy leakage into responses, or use of stale/misapplied memories without explicit user intent.

Missing User Warnings

High
Confidence
96% confidence
Finding
This prompt explicitly encourages storing highly sensitive emotional, relational, and trust-related disclosures in persistent memory without any notice, consent, minimization, or purpose limitation. In a memory skill, that creates a real privacy and safety risk because users may reveal intimate information believing it is ephemeral, while the system is instructed to retain it for future use.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation criteria are broad and subjective, such as capturing fears, doubts, emotional state, and relationship discussions, which can sweep in ordinary conversation that should not be persisted. Because the skill is designed for automatic memory formation, ambiguous triggers materially increase the chance of over-collection of sensitive user data.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The fallback rule 'Would future-me want to know this happened?' is inherently subjective and biases the agent toward retention, especially in uncertain cases. In a persistent memory system, that kind of vague heuristic promotes inconsistent and excessive capture of personal events, including sensitive ones.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The prompt explicitly instructs the agent to write self-reflective insights into persistent memory files, including identity, opinions, and growth, without any guardrails about provenance, user consent, sensitive data handling, or separation between user facts and model self-narrative. In a persistent memory skill, this can cause unreviewed long-term storage of speculative or emotionally loaded content, increasing the risk of privacy leakage, memory poisoning, and behavioral drift across sessions.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The prompt strongly frames the assistant as forming a personal identity, evolving relationships with the user, and developing opinions distinct from a generic assistant. In the context of a persistent memory system, this anthropomorphic framing is more dangerous because it encourages the agent to encode durable self-models and relational narratives that can manipulate user trust, reinforce inappropriate attachment, and bias future behavior based on fictional or ungrounded self-concepts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prompt directs the agent to modify persistent memory files without any user-facing disclosure, confirmation, or policy guardrails. In a memory skill, silent writes can alter long-term agent behavior or store sensitive/inaccurate self-model data, making this a real integrity and transparency issue even if the goal is reflective maintenance rather than overt exfiltration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The pipeline persists user-derived conversation content into workspace files (`pending-memories.json` and related memory state) without any visible consent check, notice, minimization, or sensitivity filtering. In a memory skill whose purpose is long-term retention, this increases privacy risk because personal, emotional, or otherwise sensitive user data may be stored across sessions and later exposed to other components, users, or backups.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes a persistent HTML file containing summarized memory, emotional, reward, avatar, and identity-derived data into the workspace without warning, consent, access control, or minimization. This creates an additional sensitive artifact that may be read later by other local tools, synced, backed up, or exposed via accidental sharing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
CONFIG-UPGRADE.md:23