Neolata Memory Engine

Security checks across malware telemetry and agentic risk

Overview

This is a transparent persistent memory skill with disclosed local storage, optional external providers, and documented cross-agent behavior.

Install only if you want persistent agent memory. Start with local or in-memory mode, avoid storing secrets or regulated data, verify the npm package before installing, scope agents carefully in shared environments, and enable Supabase, external LLM/embedding providers, or webhooks only for destinations you trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The guide explicitly states that `context()` searches all agents while using the provided agent only for formatting, which can cause unintended cross-agent data exposure. In an agent-memory product, this is a real confidentiality risk because callers may reasonably assume an agent-scoped context fetch and then inject other agents' memories into prompts, logs, or model calls.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The examples encourage generating prompt-ready context from memories retrieved across all agents without a strong, proximate privacy warning or mandatory scope controls. That combination increases the chance that sensitive data from one agent or user is silently included in another agent's prompt context, creating cross-tenant leakage and secondary exfiltration to external LLM providers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal