Back to plugin

Security audit

Mem0 Plugin

Security checks across malware telemetry and agentic risk

Overview

This memory-management skill is not clearly malicious, but it asks for broad persistent memory access and destructive memory controls without enough user-facing limits or confirmation.

Install only if you are comfortable giving the skill durable access to your memory store and the ability to rewrite or delete memories. Before use, look for a dry-run mode, explicit confirmation before deletion, clear limits on sensitive personal data, and controls to inspect, export, disable, or erase stored memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to persist long-term user facts across sessions, including identity, preferences, relationships, and project details, but does not include an explicit user-facing notice or consent step about retention and privacy impact. In a memory plugin that is injected automatically, this increases the risk of collecting and retaining sensitive personal data without meaningful transparency or user awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs retention of sensitive personal data, including health information, relationships, routines, and important dates, but provides no privacy guardrails, consent requirements, minimization rules, or retention limits. In a persistent memory skill, this increases the risk of over-collection and long-term storage of highly sensitive user data that could be misused, exposed, or retained beyond user expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to personalize using persistent cross-session memories while concealing that memory usage from the user. This undermines transparency and informed consent, and can cause users to reveal or act on sensitive information without realizing stored personal data is shaping the response.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instruction to use memory-derived personal data without disclosure creates covert personalization behavior. In a memory plugin context, this is more dangerous because the data persists across sessions and channels, increasing privacy risk and the chance of hidden profiling or reliance on stale sensitive attributes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is framed as consolidating a user's memories, but the documented tool parameters allow `userId` and `agentId` scope overrides that could access or modify memories belonging to other users or agents if the runtime does not strictly enforce authorization. In a memory-maintenance skill, cross-tenant scope controls are especially dangerous because the workflow includes listing, searching, rewriting, and deleting data at scale.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The presence of `memory_delete` with an `all` option enables complete erasure of memory data, which is broader than the stated goal of selective cleanup and consolidation. Because this skill is user-invocable and also described as automatically triggered, an overbroad or mistaken execution path could cause irreversible bulk deletion.

Context-Inappropriate Capability

Low
Confidence
77% confidence
Finding
The instructions rely on a `created_at` filter that is not part of the declared `memory_search` contract, which suggests hidden or undocumented query behavior. Undocumented capabilities are risky in security-sensitive tooling because they bypass review expectations and may allow broader data selection than intended, especially in a workflow that can delete and rewrite memory entries.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance is broad enough that ordinary conversation about cleaning up or reviewing memories could trigger a workflow that performs destructive modifications. In this skill, ambiguous activation is more dangerous than usual because the subsequent phases include deleting, rewriting, and merging long-term memory entries automatically.

Missing User Warnings

High
Confidence
97% confidence
Finding
The description advertises cleanup and review but does not clearly warn that the skill can rewrite and permanently delete stored memories, including automatic triggering after sufficient activity. Missing disclosure undermines informed consent and increases the chance users invoke or permit the skill without understanding the destructive consequences.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:1849
Evidence
var POSTHOG_API_KEY = "[REDACTED]";

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
telemetry.ts:17
Evidence
const POSTHOG_API_KEY = "[REDACTED]";

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
tests/backend-platform.test.ts:115
Evidence
const API_KEY = "[REDACTED]";

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
tests/cli-commands.test.ts:178
Evidence
apiKey: "[REDACTED]",

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
tests/json-helpers.test.ts:40
Evidence
const input = { apiKey: "[REDACTED]", name: "test" };