Back to skill

Security audit

MemoryLayer

Security checks across malware telemetry and agentic risk

Overview

MemoryLayer appears to be a coherent hosted memory client, with the main risk being that selected memories and search queries are sent to a remote service.

Install only if you are comfortable sending selected agent memories, metadata, and search queries to MemoryLayer or a configured endpoint. Prefer a scoped API key over an account password, avoid storing secrets, tokens, regulated data, private documents, or sensitive operational procedures, and review retrieved memories before allowing them to steer important agent actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs users to supply environment-based credentials and interact with an external hosted service, yet no corresponding permissions or trust boundary disclosures are declared. This can mislead operators about the skill's actual capabilities and cause secrets or data to be exposed to a networked third party without informed approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The stated purpose focuses on semantic memory and token savings, but the documented behavior also includes authenticating to an external service, remotely storing memories, and retrieving account data. That mismatch obscures the true data flow and security model, which is dangerous because users may provide sensitive memories assuming local-only handling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes storing and retrieving user memories through a hosted service and instructs users to provide account credentials, but it does not disclose that memory contents may be transmitted to and stored by a third-party service or discuss privacy, retention, or handling of sensitive data. In an agent-memory context, those memories can contain highly sensitive user preferences, conversation history, and operational data, so the omission can lead developers to exfiltrate sensitive information without informed consent or safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages storing rich free-form 'memories' such as preferences, work relationships, and operational procedures, which can easily include sensitive personal, business, or infrastructure data. Because the content is described as being searched and managed through an external service, the absence of a prominent privacy and external-transmission warning creates a real risk of inadvertent data exfiltration.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The setup section tells users to export an email/password or API key but provides no guidance on secure secret handling, storage, rotation, or scoping. This increases the chance of accidental credential leakage through shell history, logs, screenshots, shared environments, or over-privileged long-lived keys.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The example persists user-related preferences and feedback into long-term memory without any visible consent, notice, retention limit, or sensitivity filtering. In an agent integration context, this can normalize storing personal or potentially sensitive conversational data by default, creating privacy, compliance, and prompt-context leakage risks if developers copy this pattern into production.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The remember() method sends arbitrary user-provided content and metadata to a third-party remote service without any built-in disclosure, consent, or data-classification guardrails. In an agent setting, this can cause unintentional transmission of sensitive prompts, personal data, secrets, or proprietary context to an external endpoint.

External Transmission

Medium
Category
Data Exfiltration
Content
"""
        self._ensure_auth()
        
        response = requests.post(
            f'{self.api_url}/memories',
            json={
                'content': content,
Confidence
84% confidence
Finding
requests.post( f'{self.api_url}/memories', json=

External Transmission

Medium
Category
Data Exfiltration
Content
"""
        self._ensure_auth()
        
        response = requests.post(
            f'{self.api_url}/memories/search',
            json={'query': query, 'limit': limit},
            headers={'Authorization': f'Bearer {self.token}'}
Confidence
84% confidence
Finding
requests.post( f'{self.api_url}/memories/search', json=

Unpinned Dependencies

Low
Category
Supply Chain
Content
"url": "https://github.com/davidhx1000-cloud/memorylayer-skill"
  },
  "dependencies": {
    "axios": "^1.6.0"
  },
  "scripts": {
    "test": "node examples/basic-usage.js"
Confidence
96% confidence
Finding
"axios": "^1.6.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
# MemoryLayer Python Wrapper Dependencies

# HTTP client
requests>=2.31.0

# Future: When published to PyPI
# memorylayer>=1.0.0
Confidence
96% confidence
Finding
requests>=2.31.0

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2026-44494 (axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `co); CVE-2026-44495 (axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollut); CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF) +7 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
axios==1.6.0

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
91% confidence
Finding
requests==2.31.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:5

Python code POSTs credential environment variables to an environment-controlled URL.

Critical
Code
suspicious.env_credential_access
Location
python/memorylayer_skill.py:46

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.js:7