Back to skill

Security audit

Agent Memory

Security checks across malware telemetry and agentic risk

Overview

This skill creates a local agent-memory folder and stores user preferences/corrections there, which is disclosed and aligned with its purpose, with no evidence of hidden network access, credential use, or destructive behavior.

Install only if you want an agent to keep long-term local memory. Review ~/agent-memory periodically, avoid sensitive personal or business data, keep multi-agent shared files narrowly scoped, and do not encode casual phrases as approval for high-impact actions unless your workflow requires explicit confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs users to run a bootstrap script and to create and modify persistent files under ~/agent-memory, but the skill metadata shown here does not declare corresponding file-write permissions. Undeclared write capability is dangerous because it hides state-changing behavior from the permission model and user expectations, especially when the files contain user-related preferences and correction history.

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The skill advertises persistent memory, auto-learning, forgetting, memory stats, self-reflection, decay, and multi-agent sharing, but the documented behavior in this file only scaffolds directories and seed files. This mismatch is security-relevant because users may rely on privacy, deletion, and retention guarantees that do not actually exist, leading to unsafe assumptions about what is stored, forgotten, or shared.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup guidance tells users to initialize a persistent memory store under ~/agent-memory, but it does not provide an explicit warning that user-related data will be written and retained there. This is risky in a memory-oriented skill because users may provide sensitive preferences, work context, or correction history without realizing the data is being persistently stored on disk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The architecture explicitly persists user preferences, corrections, and behavior patterns across multiple files, but it does not define consent, retention limits, access controls, redaction rules, or handling for sensitive personal data. In a memory skill, this omission is more dangerous because the feature is specifically designed to accumulate and reuse user-derived data over time, increasing privacy, profiling, and unintended disclosure risk.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The context-match loading rule is underspecified, so an agent may load shared domain or project memory too broadly based on weak keyword overlap or ambiguous prompts. In a memory architecture skill, that can expose unrelated prior context across tasks or agents and cause unintended instruction carryover, making this more dangerous than a generic documentation ambiguity because it directly affects what hidden state is injected into future sessions.

Vague Triggers

Low
Confidence
69% confidence
Finding
Saying the agent should load memory 'on startup' without defining which startups, sessions, or trust boundaries can lead to persistent memory being injected into unintended conversations. In this skill's context, automatic memory restoration increases the chance of stale, cross-user, or cross-task data influencing behavior, though the impact is lower than the broader context-matching issue because it is mainly a scoping/configuration weakness.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.