Lily Memory 5.0.0

Security checks across malware telemetry and agentic risk

Overview

This is a coherent persistent-memory plugin whose storage, recall, and local embedding behavior match its stated purpose, though users should understand the privacy implications before enabling it.

Install only if you want the agent to remember facts across sessions. Review the database path, consider disabling autoCapture, autoRecall, or vectorSearch for sensitive work, and keep ollamaUrl on a trusted local endpoint unless you are comfortable sending memory/query text to that service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (18)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares required binaries and explicitly documents use of SQLite, native fetch, and an Ollama HTTP endpoint, which implies shell/database access and network communication without any corresponding permission or trust disclosure in the manifest. This creates a transparency and governance gap: operators may enable a plugin with broader capabilities than the metadata suggests, increasing the chance of unintended data access or exfiltration paths.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly advertises auto-capture of conversation facts, auto-recall, and persistent storage, but does not prominently warn users that potentially sensitive conversation content may be retained across sessions and re-injected into future prompts. In an agent plugin, this creates a real privacy and data-governance risk because secrets, personal data, or confidential task context can be unintentionally stored and surfaced later.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises automatic fact extraction and persistent storage but does not present a prominent user-facing warning that conversation content will be written to long-term local storage. Users may disclose secrets, credentials, or personal data during normal interaction without realizing that the plugin will retain them across sessions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documented auto-recall behavior silently injects stored memories into future model turns, but the skill text does not clearly warn that prior conversation content may reappear in later prompts and responses. This can surface previously stored sensitive data in unrelated contexts, especially after users assume the information is no longer active.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill describes semantic search via Ollama and exposes a configurable HTTP endpoint, but it does not clearly warn that stored memory text may be transmitted to that service for embedding generation. Even when the default is localhost, the configurable endpoint broadens the risk to remote services or misconfigured hosts, potentially disclosing retained conversation data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The plugin exposes a tool that persistently stores user-supplied facts and also enables automatic capture of conversation content without any explicit consent or user-facing notice. In a memory plugin, this creates a real privacy and data-governance risk because sensitive information may be retained across sessions unexpectedly.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: When vectors are enabled, the plugin sends memory content and user queries to the Ollama embedding service via storeEmbedding/vectorSearch without any user-facing warning. Even if Ollama is configured as localhost by default, the URL is configurable, so stored memories or live queries could be transmitted to another service unexpectedly.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code automatically extracts and persists facts from user and assistant messages into long-lived storage without any visible consent, notice, or opt-in gate in this flow. Because the plugin is explicitly a persistent memory system with 14- to 90-day retention, it can silently retain sensitive personal, contextual, or confidential data that users may not expect to be stored beyond the current session.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code sends arbitrary memory text to an Ollama HTTP endpoint for embedding generation without any consent gate, warning, or restriction at the call site. In a persistent-memory plugin, that text may contain sensitive agent context, secrets, or user data; if the Ollama URL is remote or misconfigured, this creates an unintended data exfiltration path.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The plugin enables automatic capture and persistent storage of conversation-derived facts by default, but the manifest text does not warn users about retention, sensitivity, or privacy implications. In a memory plugin, this creates a real privacy and data-governance risk because users may unknowingly persist secrets, personal data, or regulated information to disk.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: Automatic recall injects stored memories into each LLM turn, which can expose previously captured sensitive content to future prompts without clear user awareness. This is especially relevant in a memory skill because hidden context injection can broaden data exposure and make downstream model behavior less predictable.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Enabling vector search through Ollama embeddings means conversation-derived text may be transmitted to an embedding service, yet the manifest does not explicitly warn about that data flow. Even if Ollama commonly runs on localhost, the configurable URL allows remote endpoints, so users may unknowingly send sensitive memory content off-box or to less trusted services.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This smoke test is explicitly documented to run against a LIVE database and later performs write operations through imported plugin functionality such as semantic search helpers, recall/capture hooks, and direct SQL execs in the same test flow. Even though many mutations target a temp smoke DB, exercising code against a real user memory database without an interactive confirmation, read-only guard, or isolated fixture can cause unintended persistence, corruption, privacy exposure, or destructive side effects if the tested functions mutate state or are extended later.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Persistent auto-capture combined with auto-recall creates an inherent sensitive-data retention and resurfacing channel: user-provided facts can be stored indefinitely and later injected back into model context. In a memory plugin this behavior is intentional functionality, but without consent, minimization, or filtering it materially increases privacy and secret-handling risk.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The documented capture flow says responses are scanned for `entity: key = value` patterns and then persisted to SQLite, which creates a direct retention path from natural-language content into durable storage. Because model responses can contain user secrets, internal prompts, or transient sensitive values, this mechanism can inadvertently preserve data that was never meant for long-term storage.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill is intentionally designed to retain and recall information across sessions, which matches the plugin's purpose, but that behavior still creates a real privacy exposure if users are not clearly informed. Cross-session retention increases the chance that sensitive user data persists longer than expected and is later reused in unrelated contexts.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The agent_end hook automatically extracts facts from prior messages and saves them into persistent storage, which can capture personal, confidential, or irrelevant information without user review. Because this occurs after successful conversations and at scale over time, it meaningfully increases privacy and data-minimization risk.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The before_agent_start hook prepends recalled memories into future prompts, which can resurface prior private inputs to the model or to downstream tools without the user's current awareness. This is especially risky when memories include sensitive facts or when prompts are later shared with external model/services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal