Security audit

Echo

Security checks across malware telemetry and agentic risk

Overview

The skill’s cloud memory sync purpose is clear, but it gives an agent broad sensitive-memory upload and restore authority without enough scope, provenance, or overwrite detail.

Install only if you can verify what echo-memory executable will run, which local memory files it reads, which Supabase project and credentials it uses, and whether restore can overwrite existing files. Use --dry-run first and back up memory files before restoring.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises sync and restore operations that write local files and send workspace data to Supabase, but it does not clearly warn the user about those side effects. This can lead to unintended data exfiltration to a third-party cloud service or unexpected overwrites of local files, especially when run by an agent or user who assumes the commands are read-only or low risk.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal