Local Memory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local memory skill, but users should understand it installs online dependencies and stores chosen memory text persistently on disk.

Install this only if you are comfortable with a Python setup that downloads packages and a model, preferably in an isolated environment. Do not store secrets or highly sensitive information unless you accept that it will persist in the skill's local data directory, and prefer ID-based deletion for important records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill exposes shell/environment-backed capabilities without declaring permissions, which weakens transparency and consent around what the skill can do. In this context, the README instructs users to run local Python scripts and an installer, so undeclared execution capability is a real security concern even if it appears intended for setup and operation rather than overt abuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The skill claims to be 'completely offline' while the described setup behavior installs packages from the network and downloads a model from an external Hugging Face mirror. That mismatch can mislead users into trusting the skill in restricted or sensitive environments, increasing the risk of unintended outbound network access, supply-chain exposure, and policy violations.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill advertises a completely offline local-memory capability, but this script sets Hugging Face mirror and CA bundle environment variables before loading the embedding model for semantic deletion. In practice, if the model is not already present locally, `SentenceTransformer(MODEL_NAME)` may fetch assets from the configured remote endpoint, causing unexpected network egress, privacy leakage of usage context, and a violation of the stated trust boundary for a memory tool.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill claims to provide fully offline local memory, but it sets Hugging Face endpoint and CA bundle environment variables that enable remote model resolution through a mirror. In this context, that creates a trust and privacy issue because user queries may be processed in a workflow that unexpectedly performs network access, contradicting the advertised offline behavior.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill description claims the memory system is 'fully offline', but the code explicitly configures Hugging Face mirror access via HF_ENDPOINT and may trigger network model downloads when SentenceTransformer(MODEL_NAME) is initialized. This creates a trust and privacy gap: user memory content and runtime metadata may be processed in an environment that unexpectedly depends on external infrastructure, which is especially risky for a local-memory skill that users may rely on for sensitive data handling.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases include common everyday words like '记住', 'memory', and 'forget', which can cause accidental invocation during normal conversation. Because this skill persists and deletes data, broad trigger matching increases the chance of unauthorized memory writes or deletions without clear user intent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation does not prominently warn users that the skill writes persistent data to disk and supports deletion operations. In a memory tool, this omission is significant because users may disclose sensitive information or invoke deletion without understanding the persistence and data lifecycle implications.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Loading SentenceTransformer(MODEL_NAME) by model name can trigger outbound network requests if the model is not already cached, yet the script does not disclose this behavior to users. Because this tool handles memory recall queries, unexpected external connectivity can leak sensitive prompts, metadata, or usage patterns and violates user expectations for a local-memory skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal