TagMemory

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent local memory tool, but it should be reviewed because it persistently stores user memories, can expose them in bulk, ships with prefilled sample memory data, and has mismatched runtime metadata.

Install only if you intentionally want a local persistent memory database. Inspect or remove the bundled pending_summary.json before first use, verify the runtime entry/hook packaging, avoid storing secrets or highly sensitive personal data, and make sure you know how to review and delete stored memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documentation shows file-writing capability via CLI storage commands, but the manifest does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or user may invoke persistent writes to local storage without explicit permission review, which is especially sensitive for a long-term memory skill handling user data.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The docstring promises that explicit '记住...' content will be stored only in TagMemory and excluded from LCM summaries, but this file implements only intent extraction and tagging, with no enforcement hook to prevent LCM retention. In a memory-management skill, this creates a real security/privacy mismatch: users may disclose sensitive preferences or decisions believing they are confined to one storage path while they may still be duplicated into another memory layer.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The module claims to generate a summary and ask for confirmation, but on confirmation it expands that summary into multiple new long-term memory records. This changes data persistence scope and can amplify sensitive information retention, causing privacy and data-minimization issues if users do not understand that one summary confirmation creates many durable records.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README promotes a long-term memory system that stores user data locally and emphasizes persistence, but it does not clearly warn users that sensitive personal information may be retained on disk beyond the current session. In a memory-oriented skill, this omission is security-relevant because users may disclose private data under the assumption that it is ephemeral, leading to unintended retention and later exposure through local compromise, backup leakage, or shared-device access.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger model is broad (e.g., reacting to phrases like '记住...' or '我之前...'), which can overlap with ordinary conversation and cause unintended activation. In a memory skill, accidental triggering is more dangerous because it can silently store or retrieve sensitive personal information from normal dialogue.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill promotes long-term storage of user preferences, decisions, people, and events, but does not provide a prominent warning about persistent retention of personal information. Without explicit notice and consent, users may disclose sensitive data they do not realize will be stored and later surfaced, increasing privacy and data-protection risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The module creates and writes to a persistent SQLite database under the user's home directory automatically during initialization, with no disclosure or consent mechanism in this layer. In a memory skill that stores user dialogue-derived long-term memories, silent persistence increases privacy risk because sensitive personal information may be retained unexpectedly and exposed to local compromise or future misuse.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: During an 'update', the code deletes the existing memory record before inserting the replacement, without confirmation, rollback protection, or transactional safety. In a long-term memory skill, this can silently destroy previously verified or user-important data, and if insertion fails after deletion, the memory may be lost entirely.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The summary draft is silently written to a predictable local file path without a user-facing notice or consent flow. In a memory system that handles personal preferences, decisions, and events, this can expose sensitive data to other local users, backups, logs, or tools that inspect the filesystem.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Confirmed summaries are inserted into the memory database as multiple verified entries, but the user-facing messaging only says the summary is confirmed and archived. In this skill context, the database is long-term memory storage, so insufficient disclosure can cause users to unknowingly persist more personal data than intended.

Ssd 3

Medium

Confidence: 87% confidence
Finding: The query function returns raw stored memory content, summaries, tags, timestamps, verification state, and agent identifiers in a broad, plain-language format. In a long-term memory skill, that materially increases privacy risk because any caller with access to the tool can retrieve accumulated sensitive user data without an obvious access-control or data-minimization check in this file.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The listing interface enumerates stored memories in bulk and exposes full content fields for each result, making mass disclosure easier than targeted search. In the context of a persistent memory system intended to store user preferences, decisions, projects, and personal events, bulk listing magnifies confidentiality risk and can reveal a broad history of private data to any unauthorized or overly-permissive caller.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal