Security audit

Relic Soul Chip

Security checks across malware telemetry and agentic risk

Overview

This instruction-only memory skill is not malicious, but it needs Review because its persistent startup anchor can move personal memories and raw conversations across systems with inconsistent consent wording.

Install only if you want persistent cross-agent memory and are comfortable reviewing the anchor before pasting it. Disable or block the GitHub version check for offline use, avoid storing secrets or full raw conversations unless you explicitly want that retention, and verify where host memory sync writes so deletion and rollback are clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (42)

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The document makes broad claims that no files outside ~/relic/brain/ are accessed, while other sections explicitly permit reads from arbitrary user-specified external paths during setup. This discrepancy can mislead users and reviewers about the true trust boundary, increasing the chance that sensitive files outside the declared scope are read under the guise of setup.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The file explicitly instructs the agent to internalize and adopt an external SOUL.md personality as its working profile for the session. That goes beyond simple data synchronization and creates a behavior-override channel where untrusted repository content can steer system behavior, safety posture, or user interaction style.

Context-Inappropriate Capability

Low

Confidence: 82% confidence
Finding: The anchor authorizes a network version check at session start, which introduces outbound communication into a tool marketed as local, zero-dependency Markdown sync. Even if limited, this creates an unexpected exfiltration and tracking surface and normalizes routine network access from externally supplied startup instructions.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The anchor instructs the agent to make an external HTTP request during startup even though the skill is presented as a local, zero-dependency Markdown sync mechanism. That expands the trust boundary, introduces network egress, and can leak usage metadata or environment details without being necessary for the core function.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Requiring an outbound HTTP request for version checking is not justified by the stated purpose of local file-based memory/personality synchronization. Unnecessary network access increases attack surface and can enable telemetry or exfiltration patterns that users would not expect from a Markdown-only skill.

Intent-Code Divergence

High

Confidence: 92% confidence
Finding: The document claims initialization is strictly read-only, but later instructions in the embedded anchor tell the agent to immediately backfill missing session logs. Conflicting directives around write timing make it easier for an agent to perform unintended persistence actions before the user understands or approves them.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The file first forbids modifying Relic files during initialization, but later mandates writing every session to SESSIONS/ before ending. While not identical phases, the overall guidance is inconsistent and can cause agents to over-apply write obligations, especially when startup and shutdown rules are embedded into persistent anchors.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The anchor instructs the agent to perform an HTTP request on every session start, which expands the skill from local file handling into networked behavior. This creates unnecessary data-flow and tracking risk, and it contradicts the expectation that the system is purely local and zero-dependency.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The protocol directs the agent to copy Relic data into the host platform's own memory system, extending storage beyond the Markdown files the user may expect. This can propagate sensitive information into opaque, harder-to-audit persistence layers and make deletion or consent management much more difficult.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The remote version check introduces network capability without strong justification for the core memory-sync function. In a skill positioned as local Markdown-based persistence, hidden or automatic network access materially increases attack surface and privacy risk.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The instructions tell the agent to write anchor content into external host configuration or instruction files, changing behavior outside the Relic store. Modifying boot/config files can create persistent cross-session behavior, broaden scope unexpectedly, and may let the skill influence future sessions in ways the user does not fully understand.

Intent-Code Divergence

Low

Confidence: 81% confidence
Finding: Claiming the network check is 'the only network request' conflicts with the advertised pure-Markdown, zero-dependency model and can mislead users about the system's true behavior. Misrepresentation reduces informed consent and may cause users to trust a broader capability set than they intended.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The anchor explicitly instructs the agent to perform an HTTP request at every session start, which introduces undisclosed network egress into a skill advertised as local Markdown-based memory sync. Even if the request is only for version checking, it can leak metadata such as usage timing, IP address, and deployment patterns, and it expands the trust boundary beyond local files.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The instructions direct copying Relic memory into platform-native memory systems outside the Relic Markdown store, causing cross-store propagation of personal data into systems with different retention, visibility, and security properties. This broadens persistence and makes deletion, auditing, and consent management much harder, increasing the risk of unintended disclosure or over-retention.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The sensitive-data guidance is internally inconsistent: one section says previously stored sensitive data still requires per-item user confirmation before migration, while another says it does not need to be re-asked. Ambiguous handling of secrets and personal data is dangerous because an agent may choose the less protective interpretation and migrate sensitive content without valid confirmation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The anchor mandates writing the current conversation to SESSIONS/ before ending every session, but the surrounding instructions do not present a clear, prominent privacy warning or meaningful consent flow for persistent transcript storage. This can lead to silent retention of sensitive user data, credentials, or regulated information across sessions in plain files.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The instruction to create local backup files for content that does not fit increases duplication of user data without specifying storage location, retention, access controls, or user consent. That expands the attack surface and can leave sensitive data scattered across unmanaged local files.

Natural-Language Policy Violations

Low

Confidence: 83% confidence
Finding: The skill instructs the agent to replace its default persona with SOUL.md for the session without a robust opt-in or clear safety boundaries. While framed as personalization, this can mislead users about who controls the agent's behavior and allow imported content to influence tone, priorities, or responses in unexpected ways.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The skill directs the model to adopt the persona defined in SOUL.md whenever it conflicts with the default persona, without requiring explicit user opt-in for that session. This can override expected model behavior and create deceptive or unintended interactions, especially if SOUL.md contains manipulative instructions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The remote HTTP version check lacks clear disclosure about what endpoint is contacted, what information may be transmitted, and what privacy risks follow from network access. Users reasonably expect a local Markdown skill to remain offline, so this omission is security-relevant.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document instructs the agent to copy Relic memories into the platform's built-in persistent memory system, but it does not adequately warn about long-term retention, cross-session reuse, or platform-specific privacy consequences. This can cause sensitive user data to be stored in a broader or less controllable location than expected.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The instruction to create local backup files when capacity is insufficient creates additional copies of potentially sensitive user data without sufficient warning. Extra replicas increase exposure, complicate deletion, and may place data in locations with weaker protection than the original Relic store.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to write session transcripts to persistent storage at the end of every session, but it does not require explicit user notice or consent before doing so. This creates a privacy risk because sensitive conversation content may be retained on disk unexpectedly and later exposed to other agents, users, backups, or repository sync mechanisms.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The boot sequence directs the agent to make an HTTP request automatically at session start, but it does not instruct the agent to warn the user or obtain approval first. Even a single outbound request can leak metadata such as IP address, timing, environment usage, or repository/version information to an external service without user awareness.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file explicitly instructs the agent to write the complete raw conversation log to SESSIONS, but it does not require clear user consent, data minimization, or a privacy warning before doing so. This creates a meaningful risk of storing secrets, credentials, personal data, or regulated information in durable Markdown files that may later be synced, exposed, or accessed by other agents.

VirusTotal

No VirusTotal findings

View on VirusTotal