Security audit

EchoChat

Security checks across malware telemetry and agentic risk

Overview

EchoChat is openly a personal-memory chat skill, but it proposes exporting and sharing sensitive memory context without explaining consent, scope, or data controls.

Review carefully before installing. Use this only if you intentionally want an agent to access personal memory data, and confirm the real echo-chat implementation lets you choose which memories are used, requires consent for peer sharing, shows what will be exported, and supports deletion or revocation of memory-derived data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly supports exporting conversations that include memory references, which creates a clear risk of exposing sensitive personal data if users are not warned and access controls are weak or misunderstood. In a memory-grounded chat system, exported transcripts may contain intimate history, inferred traits, or third-party information, making the omission of privacy guidance materially risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal