Back to skill

Security audit

Daydreamer

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed local memory and brainstorming tool, but it can read prior session logs and turn them into persistent memories without a clear consent or redaction step.

Install only if you are comfortable with a local memory tool that may persist summaries of your work and reuse them later. Before first use, skip or closely supervise starter-memory seeding from session logs, set DAYDREAM_WORKSPACE to a dedicated folder, review Daydreams.MD and ideas/*.md for sensitive content, and choose manual scheduling if you do not want automated sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares broad operational behavior involving environment variables, file reads/writes, and web search, but there is no explicit permissions declaration or user-facing consent boundary for those capabilities. That makes the trust boundary unclear and increases the risk that an agent will access local data or external network resources more broadly than the user expects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose presents the skill as a creative daydream/memory feature, but the instructions expand into reading prior session logs, persisting extracted memories, creating additional idea files, and running a lifecycle CLI. That mismatch is security-relevant because users may authorize the skill for a benign-sounding purpose without realizing it performs retrospective data mining and broader persistence operations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill enumerates conversation/session logs from a default directory under the user's home folder and returns their paths for later reading. It then explicitly instructs the agent to read those logs and extract memories, which can expose unrelated conversations, credentials, secrets, internal prompts, or other sensitive data outside the user’s immediate request.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The script writes synthesized output to an additional persistent `ideas/` directory, increasing the scope of data storage beyond the main daydream log and memory files. Even if the content is generated, it is derived from accumulated memories and responses and may duplicate sensitive or private material into another location the user may not expect.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The seeding flow instructs the agent to read prior session log files and convert their contents into persistent memories without first informing the user that historical conversation data will be mined and retained. This can expose sensitive prior requests, decisions, or personal data beyond the original context in which they were provided.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Mode 3 constructs web searches from accumulated session-derived context, but the skill does not require redaction or explicit disclosure before sending that context to an external search provider. If memories or prior cycle context contain confidential or identifying details, those details may be transmitted off-device during routine operation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The session-log discovery feature exposes file paths to conversation logs and directs the agent to read them without a strong warning that those files may contain privacy-sensitive content. This creates a prompt-driven data access path where the agent is encouraged to ingest sensitive logs as part of normal operation.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The script persistently stores user-derived memory content, cycle context, and synthesis outputs, but does not clearly warn users that this data will be written to disk and retained. While persistence is part of the feature, the lack of clear disclosure can lead to unintended storage of sensitive personal or conversational material.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill directs the agent to mine past session logs, extract meaningful user activity, and store that material in a persistent memory bank for future reuse. This creates a durable secondary data store from prior conversations, increasing the chance of over-retention, repurposing, and later disclosure of information the user did not expect to be memorialized.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill instructs daily writing of memories about user interactions and later reuse of those memories in future daydream sessions. Even if intended as a product feature, this is still a security/privacy risk because it normalizes ongoing behavioral profiling and persistence of user activity without strong minimization or consent controls in the workflow.

Ssd 3

Medium
Confidence
91% confidence
Finding
The architecture repeatedly carries forward the full accumulated context from prior cycles into later prompts and synthesis, which increases unnecessary propagation of stored data. Broad context replay raises the chance that sensitive information from one memory or cycle will be exposed in unrelated later reasoning, logged outputs, or externally derived actions such as web searches.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to mine conversation logs for meaningful events and store them as plain-language memories in a durable memory file. This can transform sensitive user content from logs into an easily searchable, long-lived summary, increasing retention and making accidental disclosure more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.