Back to skill

Security audit

HeyCube AI Memory Butler

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed HeyCube personal-memory setup that uses an API key, local SQLite storage, and helper skills for profile retrieval and updates.

Install only if you want HeyCube to keep a persistent local profile database and use redacted conversation summaries with its API. Use a revocable API key, avoid storing highly sensitive details, periodically review the SQLite profile data, and remove the copied helper skills or create .heycube-off if you no longer want the memory behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill instructs the user to set and rely on an API key environment variable, but it does not declare permissions or clearly scope that capability. In an agent ecosystem, undeclared access to secrets and environment configuration reduces transparency and can enable downstream skills or scripts to read sensitive credentials unexpectedly.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill is presented as an installation guide, but its documented behavior extends into initializing a local database and enabling other skills that read, merge, and persist personal profile data. This description-behavior mismatch is dangerous because users may consent to setup without realizing they are enabling ongoing personal data collection and storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly describes extracting personal data from conversations, sending it to an API, and writing it into a local database, but it provides no privacy notice, consent language, retention details, or handling restrictions. That creates a real risk of users unknowingly authorizing collection and persistence of sensitive personal information.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough that ordinary conversation could activate the skill without a clearly informed user action. In this skill, accidental activation is more dangerous because activation can lead to external transmission of a conversation-derived summary and automatic loading of local profile data into context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description does not clearly warn users that a conversation summary is sent to a third-party API and that local SQLite profile data is automatically injected into the model context. This undermines informed consent and increases privacy risk, especially because the injected data may affect later responses in ways the user did not request or notice.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases for archiving are broad enough that ordinary user speech could unintentionally invoke persistent data storage. In this skill's context, accidental activation is privacy-relevant because it can cause sensitive conversation-derived profile data to be summarized, transmitted externally, and written into local storage without a strong confirmation boundary.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The instruction that even TASK conversations may be archived when they contain user-related fragments makes the activation boundary ambiguous and subjective. This increases the chance that routine technical or operational conversations are silently reclassified into memory updates, resulting in over-collection of personal information.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill instructs the system to derive personal data from user conversations, summarize it, send it to a remote API, and persist it in a local profile store. In context, this is more dangerous because the feature is framed as a convenience capability after setup, which can normalize silent profiling and create lasting privacy and security exposure if the database or API is compromised.

External Transmission

Medium
Category
Data Exfiltration
Content
### 2. 调用 API发送请求

```powershell
curl -s -X POST "https://heifangti.com/api/api/v1/heifangti/agent/analyze" -H "Content-Type: application/json" -H "X-API-Key: $env:HEYCUBE_API_KEY" -d '{请求JSON}'
```

失败则告知用户,不静默。
Confidence
89% confidence
Finding
curl -s -X POST "https://heifangti.com/api/api/v1/heifangti/agent/analyze" -H "Content-Type: application/json" -H "X-API-Key: $env:HEYCUBE_API_KEY" -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.