Back to skill

Security audit

Memory Setup

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill sets up persistent memory search in a way that matches its stated purpose, but users should deliberately limit what gets indexed.

Before installing or following this skill, decide whether you want past sessions indexed for future recall. Avoid storing passwords, tokens, regulated personal data, confidential business content, or unnecessary personal details in MEMORY.md, memory logs, or indexed sessions. Use the local provider for more private workspaces, or review Voyage/OpenAI data handling before using hosted embeddings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to enable persistent memory over MEMORY.md, daily logs, and past session transcripts, which can index and later recall personal preferences, project history, and prior conversations, but it does not clearly warn users about the privacy implications. This omission can lead users to enable broad retention and search of sensitive data without informed consent or appropriate scoping, especially because the skill frames the feature as an unqualified improvement ('goldfish to elephant').

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.