Satori

Security checks across malware telemetry and agentic risk

Overview

Satori is a real memory skill, but it can silently save and reuse conversation details through an external CLI without clear user confirmation or deletion controls.

Install only if you intentionally want Satori to store and recall conversation facts across sessions. Before use, decide whether your agent should ask before every save, avoid saving sensitive personal or business details, and verify how to review, delete, rotate credentials, and pin or inspect the Satori CLI package instead of running `@latest` automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger conditions are broad enough to activate on common phrases like "save," "add," or ordinary requests for recall, which can cause the memory skill to run when the user did not clearly intend persistent storage or cross-session retrieval. In a skill designed to search and store long-term memory, overbroad activation materially increases the chance of unauthorized collection or use of conversation data.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill describes automatic credential provisioning and storage behavior but does not clearly warn users that their conversation content may be stored and searched across sessions. This undermines informed consent and can lead to users disclosing sensitive data without realizing it will persist beyond the current interaction.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The workflow explicitly instructs the agent to perform background searches and "silently incorporate" retrieved results without telling the user. Hidden retrieval from persistent memory or an external service removes transparency, can surprise users, and may expose prior sensitive context in responses without a clear consent boundary.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill encourages proactive storage across sessions based on broad conversational conditions rather than explicit permission, which risks persisting user data that was only meant for the current chat. Because this is long-term memory infrastructure, saving without clear consent expands privacy exposure and can create durable records of sensitive context.

Ssd 3

Medium

Confidence: 98% confidence
Finding: Silently using retrieved memory in responses hides an important data flow from the user and can cause the model to blend prior stored information into current outputs without attribution. This is dangerous in a memory skill because users cannot distinguish fresh reasoning from externally retrieved or previously persisted personal data.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill instructs broad extraction and storage of names, deadlines, contacts, strategic direction, and other contextual facts, which can include sensitive personal or business information. Without strong consent, minimization, and classification rules, this creates a substantial privacy and confidentiality risk and increases harm if the memory store is queried inappropriately or compromised.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal