Memory Maintenance 2.0.0

Security checks across malware telemetry and agentic risk

Overview

This skill broadly discloses memory and task automation, but it encourages persistent storage of sensitive data and gives itself under-scoped session and cleanup authority.

Review before installing. Use only in a workspace where persistent task logs, memory files, and subagent sessions are acceptable. Do not allow API keys or other secrets to be written to MEMORY.md or daily memory files, and verify you can control scheduled cleanup, background sessions, and session termination behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill marketed as memory maintenance contains a general-purpose execution engine that can create sessions, run arbitrary task steps, stream progress, retry on error, and write results back to memory. That broader capability increases the attack surface because a memory-oriented skill can be repurposed into a generic task runner, enabling unintended actions outside the declared scope.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The usage examples explicitly show spawning a subagent session to execute a user task about configuring scheduled jobs, which goes beyond passive memory maintenance. Examples matter because they define intended use; here they normalize using the skill as a general automation entry point, which can lead to unauthorized or overly broad actions.

Intent-Code Divergence

High

Confidence: 94% confidence
Finding: The file presents itself as a memory-maintenance skill, but the implementation includes broader operational capabilities such as arbitrary task execution, session spawning, cron configuration, and skill creation. This mismatch is dangerous because users and reviewers may grant trust or permissions appropriate for a narrow memory tool while the code behaves like a general-purpose automation agent.

Intent-Code Divergence

High

Confidence: 92% confidence
Finding: The MemoryMaintainer class documentation claims a memory-oriented role, yet the class contains unrelated control and execution logic that can perform broader actions on behalf of the user. In a security review, this kind of capability misrepresentation increases the chance of over-privileging and under-reviewing dangerous behavior.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The skill includes capabilities to create skills, configure scheduled tasks, query external data, and execute generic tasks through spawned sessions, all of which exceed the stated purpose and can be abused for persistence or unreviewed automation. In the context of a supposed memory tool, these extra powers are especially risky because they enable lateral expansion of functionality without explicit trust boundaries.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill includes automated deletion of memory files and removal of obsolete entries, but does not present a clear upfront warning about potential data loss or retention policy before use. In a memory-management context this is especially risky because users may assume preservation, while background cleanup can permanently remove records they expected to keep.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The description presents the skill as a general-purpose assistant for task execution, memory maintenance, retries, and progress reporting without clear scope boundaries. In an auto-invocation or discovery-based system, this can cause the skill to be selected for unrelated user requests, expanding access to memory/session capabilities beyond what is necessary.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The examples include broad everyday actions such as creating a new skill and checking weather, which are not clearly tied to memory maintenance. This increases the chance that orchestration logic or a human operator treats the skill as a catch-all agent, potentially granting it access to session and memory operations in contexts where a narrower skill should be used.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The code writes failure information to persistent logs without explicit disclosure that user-related task details may be stored. This is dangerous because operational logs often accumulate sensitive inputs, errors, and traces that users did not knowingly consent to retain.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The initialization logic creates memory files intended to persist user-related information, but there is no explicit notice or consent mechanism informing the user that their task content may be stored on disk. In a memory-oriented skill, undisclosed persistence materially raises privacy and data-governance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Successful task results are appended to daily markdown files without explicit disclosure that task information will be retained persistently. This can expose sensitive user prompts, preferences, or operational details long after the task completes.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill is designed to persist conversation history, user preferences, device/environment details, and task logs into memory files, creating long-term retention of potentially sensitive natural-language data. In this context, a memory skill makes the issue more dangerous because persistence is a core feature, increasing the chance of later disclosure, over-collection, and secondary misuse.

Ssd 3

High

Confidence: 99% confidence
Finding: The permanent-memory tier explicitly lists API keys among items to retain indefinitely, encouraging storage of secrets in durable plain-language memory. This is highly dangerous because compromise of memory files, logs, backups, or downstream exports would expose reusable credentials and enable account or infrastructure takeover.

Ssd 3

High

Confidence: 97% confidence
Finding: The serialization routines write raw user requests, generated memory content, and failure details directly into Markdown and JSON outputs, which can expose sensitive prompts, personal data, credentials, or operational context. Because these formats are easy to inspect, sync, back up, or share, this greatly increases leakage risk across tools and users.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The design explicitly persists user task descriptions, preferences, and interaction details into long-term memory and logs in plain language. This is dangerous because it centralizes potentially sensitive behavioral and personal data in a durable, human-readable form that may be over-retained or exposed.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The memory template instructs the system to preserve long-term records of user preferences, habits, decisions, and similar personal details. In the context of an agent skill, this increases privacy risk because the template normalizes broad behavioral profiling without clear necessity or boundaries.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The code converts successful task executions into memory entries and appends them to persistent daily files, which can easily capture sensitive user-supplied content or confidential task results. Because this happens as part of normal execution flow, users may be unaware that routine interactions are being turned into durable records.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal