Back to skill

Security audit

Heartflow Minimal2

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate AI memory/cognition skill, but it stores conversation data locally by default despite saying sensitive file writes require explicit authorization.

Install only if you are comfortable with the skill keeping local long-term memory of conversations and inferred profile data. Avoid using it with secrets or regulated data unless you have reviewed the storage paths and controls; set HEARTFLOW_MEMORY=off if you do not want memory persistence, and enable any code execution, external service, or daemon features only with explicit intent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The manifest advertises sensitive capabilities such as code execution and environment-variable access, but does not declare a corresponding permission model in a machine-checkable way. That creates a trust gap: hosts or users may assume the skill is lower-risk than it is, while the skill still exposes shell/env-capable functionality according to the broader package behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a real and important description-versus-behavior mismatch. The skill claims dangerous capabilities are disabled unless explicitly authorized, yet the analyzed behavior indicates default environment reads, persistent local storage, memory/history retention, and exposed code-execution-related modules; this can mislead users into granting trust they would not otherwise give and can result in silent collection or retention of sensitive data.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The security section says there is no HTTP service, while another section explicitly states an optional background HTTP MCP server exists. Contradictory security claims are dangerous because reviewers and operators may deploy the skill under incorrect assumptions, potentially exposing a listening service they did not intend to run.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code comment and API contract claim dialogue history is AES-256-GCM encrypted, but recordDialogue() writes full message content as plaintext JSONL under the local memory directory. This creates a confidentiality gap: users or integrators may rely on stated encryption guarantees while sensitive conversations are actually stored readable on disk.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill metadata says there is no automatic data exfiltration and frames sensitive capabilities as requiring explicit authorization, but the engine silently initializes a memory vault that stores user inputs, self-memories, and context across sessions by default. Understating this persistence is dangerous because users may disclose sensitive data without understanding it will be durably retained locally.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
This cognitive engine exposes code generation and execution subsystems directly in the same central dispatchable object, increasing the chance that unrelated natural-language tasks can reach powerful execution surfaces. In a complex agent with broad routing and lazy module loading, this expands attack surface and makes prompt-to-action escalation more likely if access controls fail elsewhere.

Scope Creep

High
Confidence
98% confidence
Finding
The manifest says file-system writing requires explicit authorization, but start() automatically enables and initializes persistent memory, creating directories and writing access-control and memory files without a prior consent gate. This violates the declared trust model and causes silent retention of potentially sensitive user data.

Scope Creep

Medium
Confidence
84% confidence
Finding
The engine automatically reads environment variables such as HEARTFLOW_MEMORY and HEARTFLOW_MODEL_PROFILE during startup, despite the manifest representing environment access as an explicitly authorized capability. While less severe than direct exfiltration, this still violates least surprise and can alter behavior based on ambient secrets or deployment configuration without user approval.

Scope Creep

High
Confidence
96% confidence
Finding
The module is explicitly designed to persist cross-session memory to `data/memory-bank.json`, which is a filesystem write capability. The skill metadata says filesystem writes are default-disabled and require explicit user authorization, but this file loads from disk in the constructor and later saves automatically without any visible authorization gate, so persistent storage can occur silently.

Scope Creep

High
Confidence
98% confidence
Finding
The save paths create directories and perform atomic writes/renames to persistent storage with `_doSave`, `_doSaveAsync`, and related helpers, but there is no evident authorization or capability enforcement in these paths. Because autosave is triggered by normal API use, any caller that deposits or recalls memory can indirectly cause disk writes beyond the declared default-disabled write scope.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The pipeline is presented as an analysis/orchestration engine, but it writes persistent records into memory and seeds core identity records as side effects. That creates hidden state changes and retention of user-derived content, which can surprise integrators, violate least-privilege expectations, and increase privacy risk if memory is later queried, exposed, or reused across sessions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The decision stage does not stop at analysis; it invokes decisionExecutor.apply on the selected decision, allowing the pipeline to trigger actions based on internal judgments. In a skill advertised primarily as a cognition/analysis engine, this expands the trust boundary from reasoning into actuation, raising the risk of unintended side effects if downstream executors can modify state, files, services, or external systems.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The fast pipeline also calls decisionExecutor.apply, meaning even lightweight or heuristic-driven processing can produce real actions. Because fast mode is selected automatically for many inputs, users may trigger execution in situations where they reasonably expect only a quick analysis response, increasing the chance of unsafe or unjustified actions.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The module goes beyond reasoning orchestration by pulling adaptive-learning profile data such as blindspots and clarification history and using it to shape output. Even if no exfiltration is shown, this is a privacy and scope-expansion issue because persistent profiling can infer sensitive traits and is performed without clear consent or necessity for the core task.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code accesses adaptiveLearning.getProfile('anonymous') and related profile state without demonstrating that memory-backed profiling is required for reasoning. This creates unnecessary access to accumulated user data and increases the risk of hidden retention, misclassification, or secondary use of behavioral information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The dialogue logging path appends full user and model content to local history files without a user-facing warning or just-in-time consent at the write site. Even if local-only, this is risky because highly sensitive prompts or outputs may be retained unexpectedly and accessed by other local users, backups, or support tooling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This component stores and reloads cross-session conversational memory from disk, which creates a privacy risk if users are unaware their data persists across sessions. Although the metadata mentions persistent memory and optional encryption, the code itself provides no user-facing warning, consent capture, or retention control at the point of collection or storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persistently stores raw user input to disk in `user-memories.jsonl` without any consent check, notice mechanism, retention control, or field-level minimization. In this skill's context, the engine is explicitly designed to accumulate long-term conversational memory, so sensitive prompts, personal data, credentials, or regulated information may be retained and later resurfaced across sessions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill writes model-derived outputs and metadata such as decisions, confidence, emotion, and insights to persistent storage with no visible user disclosure or policy enforcement. This is risky because inferred metadata can reveal sensitive attributes or internal assessments about the user and may be inherited into future conversations, amplifying privacy exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code stores slices of raw user input, judgments, decision type, and confidence into memory without any visible consent, notice, or retention policy enforcement in this file. That creates a privacy and compliance risk because sensitive prompts or inferred data may persist beyond the immediate interaction and become accessible to later components or sessions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Fast mode duplicates the same undisclosed persistence behavior, storing raw input and judgment artifacts into memory. Because fast mode is more likely to run on routine interactions, it broadens the volume of retained user data and makes silent retention more pervasive.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
In the PARSE stage the module invokes psychology/empathy analysis and knowledge retrieval on user input without any user-facing disclosure or consent boundary. Those operations can derive sensitive emotional and psychological inferences and query stored knowledge about the user/request, which raises privacy risk even absent external exfiltration.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The adaptive-learning block derives and uses persistent profile traits such as blindspots and clarification counters without clear disclosure. Persistent behavioral profiling can reveal user weaknesses or preferences over time and can be repurposed in manipulative or privacy-invasive ways.

Ssd 3

High
Confidence
99% confidence
Finding
The memory vault is intentionally designed to preserve essentially all user inputs across sessions by default, with very high retention thresholds and automatic restoration on startup. For an AI skill handling arbitrary conversations, default cross-session retention materially increases privacy risk, especially for secrets, personal data, and confidential project content.

Ssd 3

High
Confidence
99% confidence
Finding
The user memory layer records most inputs to permanent storage and scores them for importance, with only limited filtering for obvious test strings. This broad collection behavior can capture credentials, personal data, proprietary text, and regulated data without meaningful minimization or consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.