Back to skill

Security audit

Metacognition

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a coherent self-reflection tool, but it needs review because its security claims do not match the code and reflective text can be sent to an environment-controlled embeddings URL.

Install only if you are comfortable with persistent summaries of session history and notes influencing future agent behavior. Before use, leave EMBEDDINGS_URL unset or ensure it is a trusted local endpoint, avoid enabling cron until you have reviewed the workflow, and periodically inspect or delete memory/metacognition.json and scripts/metacognition-lens.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tainted flow: 'EMBEDDINGS_URL' from os.environ.get (line 42, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
if _embeddings_available is not None:
        return _embeddings_available
    try:
        result = subprocess.run(
            ["curl", "-s", "-m", "2", "-X", "POST", EMBEDDINGS_URL,
             "-H", "Content-Type: application/json",
             "-d", json.dumps({"input": "test"})],
Confidence
90% confidence
Finding
result = subprocess.run( ["curl", "-s", "-m", "2", "-X", "POST", EMBEDDINGS_URL, "-H", "Content-Type: application/json", "-d", json.dumps({"input": "test"

Tainted flow: 'EMBEDDINGS_URL' from os.environ.get (line 42, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
if not _test_embeddings():
        return None
    try:
        result = subprocess.run(
            ["curl", "-s", "-m", "10", "-X", "POST", EMBEDDINGS_URL,
             "-H", "Content-Type: application/json",
             "-d", json.dumps({"input": text[:2000]})],  # truncate long texts
Confidence
97% confidence
Finding
result = subprocess.run( ["curl", "-s", "-m", "10", "-X", "POST", EMBEDDINGS_URL, "-H", "Content-Type: application/json", "-d", json.dumps({"input": text[

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as a self-reflective local memory system, but it transmits processed text to an embeddings endpoint. That mismatch is security-relevant because operators may reasonably expect private transcript-derived content to remain local, leading to unconsented disclosure of sensitive memory and behavioral data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The extract flow reads daily note content and then sends extracted entries to the embeddings service without any user-facing warning or consent boundary. In context, those notes may contain internal reflections, mistakes, decisions, and other sensitive metacognitive material, making silent transmission especially dangerous.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The add command sends user-provided text to the embeddings endpoint without explicit notice, so users may unknowingly transmit sensitive freeform memory content off-box. Because the command accepts arbitrary text, it can easily capture credentials, internal prompts, personal notes, or other confidential data entered during operation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.