Security audit

mem-rag-milvus

Security checks across malware telemetry and agentic risk

Overview

This memory skill is mostly coherent, but it can send stored memories and searches to an embedding service and keeps separate JSON backups that deletion does not clean up.

Install only if you are comfortable with assistant memories being persisted in both the main store and JSON backup files. Do not store secrets or regulated data unless you control the database and backup paths, trust the configured Ollama/Milvus services, and have a process to remove backup files when deleting memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation describes capabilities to read environment variables, write local files, access a SQLite database, and make network connections to Milvus/Ollama, yet the metadata declares no explicit permissions. This creates a transparency and consent gap: users or hosting platforms may install it without understanding that memory content can leave process boundaries or be persisted to disk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior goes beyond a simple local memory store by referencing external Ollama embedding generation, host/gateway service discovery, and an unimplemented ChromaDB backend. This mismatch is dangerous because users may assume purely local storage while the skill can contact external services or behave differently than advertised, increasing the risk of unintended data exposure and unsafe deployment assumptions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README advertises automatic backup of all memories to local JSON files and 'privacy-first' local storage without warning that sensitive user content may be persistently duplicated on disk in a potentially less protected format. In a memory skill for AI assistants, stored content may include conversations, preferences, reminders, and other sensitive data, so undocumented backup behavior increases the risk of unintended retention and disclosure.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill advertises automatic backup to JSON files but does not clearly warn that stored memory content may be duplicated into local backup files. This expands the persistence surface for potentially sensitive conversations or metadata, making accidental disclosure, insecure file permissions, or retention beyond user expectations more likely.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Memory content is sent to an embedding service over HTTP without any consent gate, minimization, or clear disclosure. In this skill's context, the stored data is explicitly 'memory' for an AI assistant, which may contain sensitive user prompts, personal data, or secrets, so silent transmission to another service meaningfully increases privacy and data-exposure risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code automatically persists full memory contents and metadata to JSON backup files on disk, with no encryption, retention limit, permission hardening, or user-facing notice. Because this component is designed to store assistant memory, the backups can accumulate sensitive historical data and become a local disclosure target if the host is shared, compromised, or misconfigured.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal