site-memory

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it combines global browser memory with powerful control of logged-in Chrome tabs.

Install only if you intentionally want shared browser memory and are comfortable giving the agent live Chrome debugging power. Use a separate low-privilege browser profile for automation, avoid sensitive tabs and accounts, keep separate SITE_MEMORY_HOME paths for sensitive projects, review stored notes regularly, and do not set SITE_MEMORY_CDP_SCRIPT to an untrusted file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The proxy accepts SITE_MEMORY_CDP_SCRIPT from the environment and executes it with Node after only checking that the path exists. This allows any caller who can influence the environment to redirect execution to an arbitrary local script, which expands the skill from 'proxy to the bundled chrome-cdp skill' into a generic code-launcher. In the context of an agent skill, that broad execution surface is riskier because skills may run in automation environments where environment variables are easy to inject or misconfigure.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The package metadata describes live Chrome session access and interaction with already-open tabs, which is materially different from the declared site-memory skill purpose of persistent note storage. This kind of capability mismatch is dangerous because it can cause a reviewer or downstream agent to trust a package under a benign memory-related label while actually introducing browser-session access with exposure to page contents, cookies, or sensitive workflows.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill documents capabilities that go beyond interacting with an already open page by allowing arbitrary navigation (`nav`) and creation of new tabs (`open`). That expands the trust boundary from inspecting a user-approved page to initiating new browsing activity, which could be abused to visit attacker-controlled sites, trigger side effects in authenticated sessions, or broaden data exposure beyond what the user explicitly approved.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The manifest promises use only after explicit user approval, but the documentation says a background daemon keeps the debugging session alive so later commands require no further approval. This creates a consent bypass in practice: once initial access is granted, the agent can continue interacting with the tab for up to 20 minutes without renewed user awareness, increasing the risk of unauthorized actions or data access.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The CLI exposes powerful browser automation capabilities far beyond the declared 'site memory' purpose, including navigation, arbitrary JS evaluation, raw HTML extraction, screenshots, clicking, typing, and low-level CDP access. In the context of a memory skill, this is dangerous because it creates an unnecessary high-privilege browser-control surface that can be abused to read sensitive page content, manipulate sessions, and perform actions on behalf of the user.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: The evalraw command allows callers to send arbitrary Chrome DevTools Protocol methods with attacker-controlled parameters, effectively granting unrestricted access to the browser debugging interface. This can bypass the intended command restrictions and enables data exfiltration, DOM/script manipulation, cookie or storage access via other CDP domains, network interception, and other powerful actions inconsistent with a persistent-memory skill.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that memory is global and shared across all projects, which creates a real cross-project data exposure risk. In an agent setting, notes collected in one task can influence or leak into unrelated tasks, potentially exposing sensitive workflow details, internal URLs, selectors, constraints, or operator preferences without clear user consent or isolation boundaries.

Natural-Language Policy Violations

Low

Confidence: 86% confidence
Finding: The instruction 'You MUST execute that prompt' uses mandatory language that can override normal user choice and encourage the agent to perform post-task actions automatically. Because that prompt can read, search, and modify persistent memory, this creates a risk of unauthorized data retention or unintended writes without user approval.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly advertises access to a user's live Chrome session, including already-authenticated tabs and current page state, but does not provide meaningful privacy, consent, or data-handling warnings. In an agent-skill context, this is dangerous because it normalizes access to highly sensitive browser content (email, internal tools, authenticated apps) and can lead operators to grant broad access without understanding the exposure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The command list includes powerful actions such as navigation, clicking, typing, JavaScript evaluation, raw CDP passthrough, and HTML extraction, yet the README does not warn that these operations can modify state, trigger purchases/submissions, exfiltrate page data, or execute arbitrary actions in authenticated sessions. Because this skill is designed to operate against a live browser profile, the absence of destructive-action and data-exfiltration warnings materially increases the risk of misuse.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The description uses broad, capability-forward language such as giving an AI agent access to a live Chrome session and connecting to tabs already open, without any stated trigger boundaries, scope limits, or user-approval constraints. In the context of a skill presented as site-memory, vague activation language increases the chance of overbroad use or unintended invocation of powerful browser access during routine memory tasks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal