AGI记忆模组

Security checks across malware telemetry and agentic risk

Overview

This is a real always-on memory system, but it asks for broad persistent access and includes sensitive profiling, credential storage, and unsafe local file primitives that need review before installation.

Install only if you intentionally want an always-on, cross-session memory layer. Use a dedicated storage directory, avoid storing credentials through this skill unless you explicitly need that feature, disable or remove emotional/personality profiling and host monitoring unless clearly consented to, and confirm there are working export/delete controls before using it with private conversations or sensitive projects.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (55)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The schema explicitly stores psychological/personality-style profiling via fields such as neuroticism_tendency, triggers, and derived_from. In a skill described as always-on memory for all user interactions, this goes beyond minimally necessary context retention and creates durable sensitive inference data that could be misused for manipulation, discrimination, or unsafe downstream decision-making.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The emotional_memory schema enables persistent storage of emotion states, triggers, attitudes, and strengths over time. Because this skill is described as a mandatory resident meta-skill triggered by any interaction, the design supports broad longitudinal emotion profiling without clear necessity, increasing privacy risk and enabling manipulative personalization or harmful inference about vulnerable users.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The design explicitly introduces emotional and identity-based activation, which expands the system from generic memory/context engineering into persistent user profiling. In an always-on meta-skill that triggers on every interaction, this creates unnecessary collection and reuse of sensitive inferred attributes, increasing privacy risk, behavioral manipulation potential, and cross-context overreach beyond the stated core purpose.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The API reference exposes a much broader capability surface than the declared 'context/memory meta-skill', including privacy, encryption, monitoring, and dual-track extraction subsystems. In an always-on skill that triggers on every interaction, undocumented scope expansion increases the chance of unauthorized data collection, processing, or persistence beyond user expectations and weakens least-privilege boundaries.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The document advertises PrivacyManager, ConsentStatus, and encrypt/decrypt capabilities without clearly tying them to a narrowly defined, consented memory function. In a persistent memory system, privacy and encryption primitives are sensitive because they imply handling, transforming, or storing user data in ways that may exceed the stated purpose; vague justification makes misuse or overcollection harder to detect.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The design explicitly includes emotional-pattern and identity-evolution analysis over long-term memory, which expands the skill from contextual memory support into sensitive user profiling. In an always-on memory skill, this can influence future responses using inferred emotional state or identity trajectory without clear necessity, consent boundaries, or minimization controls.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The overview describes predictive behavior modeling, personalization, and actionable recommendations, which goes beyond passive memory retrieval into behavioral inference and steering. Because this skill is described as universally triggered and persistently resident, the profiling surface is broader and can systematically shape agent behavior based on inferred patterns rather than current user intent.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The document claims insight injection does not affect the main flow, yet elsewhere specifies forced context injection for high fit-score signals. This contradiction is risky because hidden or mandatory context shaping can silently bias the model's reasoning and outputs, especially when injected content includes recommendations derived from profiling.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The document explicitly states that DECISION_CONTEXT should be used for context activation and not persisted to long-term memory, but the code example shows it resolving to CORE_SKILL. In a memory subsystem that runs on every interaction, this inconsistency can cause implementers to persist transient decision context as durable user state, leading to privacy over-collection, incorrect profiling, and unsafe downstream behavior based on stale or misclassified memory.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The module index explicitly includes `credential_manager.py` under the infrastructure layer, indicating this memory/context skill has capability to manage API keys or other secrets beyond its stated purpose. In a skill that is described as always-on and triggered by any user-model interaction, secret-handling functionality materially expands the attack surface because a compromise, misuse, or overreach in memory pipelines could expose or misuse credentials.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The writer accepts an arbitrary file_path from callers and later creates parent directories and writes to that path without any allowlist, sandbox, or path canonicalization. In an agent skill that is described as always-on and triggered by any interaction, this turns a memory helper into a general filesystem write primitive that could overwrite application files, configs, prompts, or user data if upstream inputs are attacker-influenced.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The implementation opens the target with mode "w" and serializes the entire supplied object, causing destructive whole-file replacement rather than scoped updates. Combined with arbitrary path control, this enables easy corruption or replacement of existing files, increasing the severity from simple persistence to a generic overwrite capability.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module-level documentation promises strong consistency and failure recovery, but the implementation returns SUCCESS for eventual writes before any backend write occurs and only logs async worker failures without surfacing them. This can mislead callers into treating data as durably propagated when caches may still be stale or silently divergent, which is a real integrity issue for a memory/cache subsystem.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The eventual-consistency delete path claims to synchronously delete L1 and asynchronously delete other layers, but no deletion task is ever enqueued or executed for L2/L3. This leaves stale entries in lower cache tiers, so deleted data can reappear or continue to be served, causing cache incoherence and possible unauthorized persistence of information.

Context-Inappropriate Capability

High

Confidence: 93% confidence
Finding: L3DiskCache.clear() recursively deletes the entire configured cache_dir via shutil.rmtree without validating that the path is safe, dedicated, and non-sensitive. If an attacker or misconfiguration controls cache_dir, this can erase arbitrary filesystem content within the process's permissions, making the skill more dangerous because it is a persistent always-on memory component likely to run frequently and touch real user state.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The module adds persistent local-file lifecycle tracking and report storage inside a context/memory orchestrator, including loading and saving usage statistics to a JSON file. In an always-on agent-memory skill, this creates covert persistence beyond transient context handling, which can retain behavioral metadata and expand the privacy/data-retention surface without clear necessity or consent.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The file implements developer analytics, quality reporting, type lifecycle management, and usage monitoring that go beyond the stated purpose of context orchestration. Because this skill is described as always resident and triggered on any user-model interaction, these extra monitoring capabilities materially increase surveillance and persistence risks across all conversations.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: This module adds persistent credential storage, encryption, local master-key management, and explicit master-key export to a skill described as memory/context engineering. In an always-on agent-memory context, this materially expands the trust boundary: the skill can accumulate and retain secrets unrelated to its declared purpose, and exporting the master key defeats the protection of encrypted-at-rest storage if the API is exposed or misused.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The file’s documented behavior is credential management, but the skill metadata describes a memory/context support capability that is forced to run persistently. This mismatch is dangerous because users and integrators may grant broad trust to a memory skill while it silently handles high-sensitivity secrets, enabling covert persistence of tokens or passwords beyond reasonable user expectations.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The module explicitly infers and stores users' emotional patterns from recent interaction history, which is sensitive psychological profiling rather than core memory/context management. In a skill that is described as always-on and triggered by any interaction, this creates disproportionate collection of sensitive inferences and increases privacy, manipulation, and trust risks.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The code performs 'identity evolution' profiling by deriving growth milestones and user-development signals from memory data. This exceeds ordinary context engineering and creates longitudinal profiling of the user, which is especially risky in a persistent memory skill because it can silently accumulate sensitive behavioral/personality inferences over time.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The module derives recommendations such as avoiding complex tasks, resting, or switching work based on inferred internal user state and tool-success patterns. In an always-on memory skill, this crosses from passive memory support into behavioral steering, which can influence user decisions using opaque profiling and may be inappropriate or harmful when based on weak signals.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The module persistently stores and updates a 'neuroticism tendency' score tied to a user, which is a sensitive psychological inference rather than a memory-management necessity. In an always-on memory skill, this expands profiling beyond the stated context-engineering role and can enable covert behavioral classification, unfair downstream decisions, or privacy harm if reused elsewhere.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The reflection subsystem explicitly stores interaction-derived records as 'meta-learning training data', which is a materially different capability from ordinary memory/context retention. Because this skill is described as always resident and triggered on any interaction, that broad capture creates hidden secondary use of user data and increases privacy and model-behavior manipulation risk.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The monitor asynchronously collects host-level CPU, memory, and disk metrics for the entire machine, not just resources directly tied to the skill’s memory/context functionality. In an always-on 'meta-skill' that runs on every interaction, this expands data collection scope and can expose environment fingerprints or sensitive operational telemetry beyond what is necessary, violating least-privilege and increasing privacy/security risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal