Back to skill

Security audit

Agent Memory Store

Security checks across malware telemetry and agentic risk

Overview

This is a real memory-store skill, but it exposes persistent agent memories through an unauthenticated HTTP service and can send memory text to OpenAI without clear user-facing disclosure.

Install only if you can run it in a controlled environment. Bind or firewall port 8768 so only intended local agents can reach it, do not store secrets or sensitive personal data, and unset OPENAI_API_KEY unless you intentionally want memory and query text sent to OpenAI for embeddings. Periodically inspect and delete the SQLite database if retained memories are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and demonstrates network and environment-related capabilities but does not declare any permissions or trust boundaries. This weakens reviewability and consent, and can let a memory service access local agent data and expose it over an HTTP interface without users realizing the operational scope.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
A local shared-memory skill pointing to an unrelated external homepage is a supply-chain trust signal issue. It can mislead reviewers about provenance, make auditing harder, and may indicate the published metadata does not match the actual functionality being installed.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is described as a shared SQLite-backed memory store, but it also transmits stored memory/query text to an external OpenAI API for embeddings. In a memory system, contents may include sensitive cross-agent context, so undisclosed external transmission materially changes the trust boundary and can leak private data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Reading OPENAI_API_KEY from the environment enables a hidden networked capability that is not obvious from the stated local memory-store purpose. In agent environments, silently activating external calls based on ambient credentials can cause unintended data disclosure and make behavior differ across deployments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly persists cross-agent memories to a SQLite database that survives restarts, yet the description does not warn that sensitive user or agent data may be retained on disk. In this context, the omission is more dangerous because the service is designed for shared semantic memory, increasing the chance that secrets, preferences, or other private data are stored longer than intended.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Memory content submitted via the API can be sent to the embeddings service without any user-facing warning at the point of storage or query. Because this service is a shared semantic memory store, users may reasonably assume data remains local, making silent third-party transmission particularly risky.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.