多身份智能知识体系

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local memory skill, but it gives agents broad, automatic, cross-persona persistence and retrieval of personal conversation content without clear consent controls.

Install only if you want agents to maintain a shared, long-lived personal memory across roles. Treat it as a local personal data store: avoid saving secrets, health/financial details, credentials, or private third-party information unless you are comfortable with later cross-context reuse. Prefer manual confirmation for writes, use a private storage path, and review or prune the memory files regularly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The CLI exposes maintenance operations such as rebuild-index and recalc-importance that can rewrite metadata, indexes, and stored records, going beyond the core user-facing memory actions described in the skill. In a shared memory store, these operations increase the attack surface and make accidental or unauthorized bulk modification of the knowledge base possible.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to automatically persist conversation-derived content into long-lived storage, but does not require a clear user-facing warning at the point of collection. Because the stored data is personal knowledge and may include reflections, decisions, and experiences, silent persistence creates a meaningful privacy and consent risk.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The note explicitly tells the agent to call store or query without the user needing to request it, while the skill is designed for cross-persona memory reuse. This combination allows silent collection and resurfacing of user data across contexts without a strong privacy warning or contextual consent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill persistently stores arbitrary user-provided content to disk in a shared memory location without any user-facing disclosure, consent gate, or sensitivity warning. Because the skill is explicitly cross-persona, users may unknowingly place sensitive material into long-lived storage that can later be surfaced in other contexts.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill directs the agent to semantically infer when a user statement is worth storing and to write it into persistent shared memory without explicit per-write consent. That creates a silent surveillance-like data retention pattern where sensitive personal insights may be recorded more broadly than the user expects.

Ssd 3

High

Confidence: 99% confidence
Finding: These instructions normalize proactive storing and querying without a clear user request, enabling both hidden retention and hidden resurfacing of personal information. In a cross-persona memory system, this materially increases the chance of contextual integrity violations, where data shared in one context reappears in another unexpectedly.

Ssd 3

High

Confidence: 95% confidence
Finding: A unified cross-identity memory layer is inherently sensitive because it encourages broad reuse of personal information across different agent roles and contexts. Without strict compartmentalization, data minimization, and consent controls, benign information from one persona can become privacy-invasive when correlated or reused elsewhere.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill is explicitly designed as a unified cross-identity memory layer and defaults query behavior to broad retrieval semantics, enabling one persona or workflow to access content created under another. In security terms, this violates isolation expectations and can leak sensitive prior user data across contexts without policy checks, sensitivity labels, or need-to-know restrictions.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The reflection feature returns all entries in a time window, including full content in all_entries and high-importance records for downstream LLM summarization. This creates a broad semantic exfiltration path where historical sensitive content can be re-exposed wholesale, especially dangerous because the skill is a persistent shared knowledge base rather than a narrowly scoped temporary cache.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal