Back to skill

Security audit

Rag Memory

Security checks across malware telemetry and agentic risk

Overview

This is a real RAG memory skill, but it defaults to sending ordinary prompts and stored memory content to configured embedding and vector services with limited runtime visibility.

Install only if you intend to use a self-hosted or fully trusted embedding service and Qdrant instance for private memory. Before enabling it, review auto_inject and consider setting it to false unless you want every sufficiently long prompt to be embedded for memory lookup; also avoid syncing arbitrary files with --file unless you are comfortable storing their contents in the vector database.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation makes inconsistent privacy claims: it correctly states that memory content is sent to the embedding endpoint and Qdrant, then later says no data is sent to any external party. Even if the services are user-configured or self-hosted, this contradiction can mislead users into underestimating data exfiltration risk and consenting without full understanding.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The --file mode accepts any user-supplied path, resolves it, and indexes its contents into Qdrant without restricting it to MEMORY_DIR or configured skill directories. In an agent context, this expands the skill's data-ingestion scope beyond its declared memory/skill-doc sources and can be abused to ingest arbitrary local markdown files, including sensitive notes or operational documents, into a searchable vector store.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger terms include broad phrases like 'RAG' and 'qdrant', which can cause the skill to activate in contexts not intended by the user. Because the skill can search and auto-inject memory-derived content into prompts, overly broad activation increases the chance of unnecessary retrieval of sensitive data and prompt-context contamination.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The before_prompt_build hook automatically embeds the user's latest message and sends it to the configured embedding service without any visible notice, consent gate, or per-request opt-in. In a memory/RAG skill this behavior is functionally expected, but it still creates a real privacy and data-handling risk because arbitrary user prompts may contain secrets, personal data, or sensitive business content that are transmitted to external infrastructure.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest description states the skill will 'auto-inject relevant context before each response,' which signals broad automatic activation rather than a narrowly scoped, user-invoked action. In a memory/RAG skill, this can cause silent retrieval and injection of stored content into unrelated conversations, increasing the risk of privacy leakage, prompt-scope expansion, and unexpected behavior.

Natural-Language Policy Violations

Low
Confidence
89% confidence
Finding
The phrase 'before each response' implies forced automatic behavior without meaningful user choice, and the config shows auto_inject defaults to true, reinforcing that this is not merely descriptive. For a skill that accesses vector memory and synced records, unconditional pre-response retrieval can surface sensitive or irrelevant prior data and create hidden context that the user did not request.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends raw content from local markdown files and PostgreSQL memory records to an external embeddings endpoint defined by EMBED_BASE_URL. Because these sources may contain sensitive user memory, logs, tool usage, or skill documentation, transmitting them off-host without an explicit consent or trust boundary check creates a real confidentiality risk, especially in an agent memory system.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/monitor_vector_search.js:26