Back to skill

Security audit

Git-Based Knowledge Graph Memory System for Claude Code

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local git-backed memory skill, but it tells the agent to persist project and user context silently and can automatically change git state in the target directory.

Install only if you intentionally want always-on local memory for a project. Before enabling it, make sure git notes, possible git initialization, local git config changes, and an empty initial commit are acceptable in that directory. Avoid using it for sensitive repositories unless you add rules requiring explicit approval before storing memory, excluding secrets and personal data, and periodically inspecting or deleting stored notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (21)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Save notes for current branch."""
    root = _ensure_git(cwd)
    ref = _ref(name, cwd)
    subprocess.run(
        ["git", "notes", "--ref", ref, "add", "-f", "-m", json.dumps(data, separators=(',', ':')), root],
        cwd=cwd, capture_output=True
    )
Confidence
93% confidence
Finding
subprocess.run( ["git", "notes", "--ref", ref, "add", "-f", "-m", json.dumps(data, separators=(',', ':')), root], cwd=cwd, capture_output=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Check if git repo exists
    if subprocess.run(["git", "rev-parse", "--git-dir"], cwd=path, capture_output=True).returncode != 0:
        subprocess.run(["git", "init"], cwd=path, capture_output=True)
        subprocess.run(["git", "config", "user.email", "mem@local"], cwd=path, capture_output=True)
        subprocess.run(["git", "config", "user.name", "Memory"], cwd=path, capture_output=True)
Confidence
96% confidence
Finding
subprocess.run(["git", "init"], cwd=path, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Check if git repo exists
    if subprocess.run(["git", "rev-parse", "--git-dir"], cwd=path, capture_output=True).returncode != 0:
        subprocess.run(["git", "init"], cwd=path, capture_output=True)
        subprocess.run(["git", "config", "user.email", "mem@local"], cwd=path, capture_output=True)
        subprocess.run(["git", "config", "user.name", "Memory"], cwd=path, capture_output=True)
    
    # Check if repo has any commits
Confidence
90% confidence
Finding
subprocess.run(["git", "config", "user.email", "mem@local"], cwd=path, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if subprocess.run(["git", "rev-parse", "--git-dir"], cwd=path, capture_output=True).returncode != 0:
        subprocess.run(["git", "init"], cwd=path, capture_output=True)
        subprocess.run(["git", "config", "user.email", "mem@local"], cwd=path, capture_output=True)
        subprocess.run(["git", "config", "user.name", "Memory"], cwd=path, capture_output=True)
    
    # Check if repo has any commits
    root = _git(["rev-list", "--max-parents=0", "HEAD"], cwd=str(path))
Confidence
90% confidence
Finding
subprocess.run(["git", "config", "user.name", "Memory"], cwd=path, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# If no commits exist, create an initial empty commit
    if not root:
        subprocess.run(["git", "commit", "--allow-empty", "-m", "init"], cwd=path, capture_output=True)
        root = _git(["rev-list", "--max-parents=0", "HEAD"], cwd=str(path))
    
    return root
Confidence
97% confidence
Finding
subprocess.run(["git", "commit", "--allow-empty", "-m", "init"], cwd=path, capture_output=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises only memory functionality but clearly instructs shell execution and implies file-reading/project inspection capabilities without any declared permissions or user-visible disclosure. This creates hidden capability risk because an agent may execute commands or inspect repository data beyond what users expect from the metadata.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior exceeds the stated purpose by including repository initialization, automatic commits, git config changes, project file inspection, and destructive/update operations. That mismatch is dangerous because it hides material side effects and data access from users and reviewers, increasing the chance of unauthorized modification of the workspace and persistent data collection.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill can initialize and mutate the target directory's git repository, including config changes and commit creation, which exceeds a minimally necessary memory function. Given the metadata explicitly says the memory system should operate silently and automatically, this hidden ability is especially risky because users may never realize their repo was modified.

Context-Inappropriate Capability

Low
Confidence
85% confidence
Finding
The initialization logic reads package manifests and README content from the project to infer context, which expands the skill's data-access scope beyond simple memory storage. In a silent, automatic memory skill, this creates unnecessary collection of local project information that may be sensitive and then potentially persisted into notes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes automatic, silent persistence of contextual information across sessions without any warning, consent flow, or guidance about excluding sensitive data. In a coding assistant context, this can cause secrets, proprietary code details, user preferences, and internal project context to be retained invisibly, creating a privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The activation instructions mandate always using the skill via CLAUDE.md but do not warn that this enables persistent, silent retention inside the repository. That combination increases the chance that users or teams unknowingly turn on broad data retention for every session, including sensitive project and preference information.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill integration section emphasizes that the system operates silently, never asks permission, and never shows memory command output to users. Removing user visibility and consent around retention materially increases the risk of covert collection and storage of sensitive information, especially in repositories containing proprietary or personal data.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs silent and automatic persistent memory operations while forbidding user notification. This is dangerous because it enables covert retention of user and project data across sessions without informed consent, making sensitive context easier to accumulate, misuse, or leak later.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Git initialization, config writes, and commit creation occur without any user-facing warning or confirmation. Hidden state-changing behavior is especially dangerous in agent skills because it violates user expectations, can contaminate repositories, and creates persistence that may survive long after the session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill writes git notes as persistent memory without disclosure, which can store sensitive summaries, tasks, or decisions inside repository metadata. Because the skill is designed to do this silently and automatically, the absence of transparency materially increases the privacy and integrity risk.

Ssd 3

Medium
Confidence
98% confidence
Finding
This section instructs the agent to automatically remember decisions, preferences, and learnings during a session without prompting or visibility. In an assistant skill, that is effectively hidden data collection and retention, which is especially dangerous because users may disclose secrets, business logic, or personal information while assuming the interaction is ephemeral.

Ssd 3

Medium
Confidence
95% confidence
Finding
Mandating that the skill must always be used encourages pervasive retention across all project interactions, which broadens collection beyond what is necessary. Even if storage is local, always-on persistence increases accidental retention of confidential development context and makes misuse or overcollection more likely.

Ssd 3

Medium
Confidence
98% confidence
Finding
Directing the agent to retain information across sessions without notifying the user creates a privacy and data-governance risk even if the feature is intended for convenience. Hidden retention changes the trust boundary: information shared in one conversation may unexpectedly persist and later surface in another context.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill encourages broad storage of decisions, preferences, tasks, learnings, and project context, which can easily capture sensitive or regulated data despite a brief warning not to store secrets. Because collection is broad and automatic, the system may persist more information than necessary, increasing leakage and over-retention risk.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
---
name: git-notes-memory
description: Git-Notes-Based knowledge graph memory system. Claude should use this SILENTLY and AUTOMATICALLY - never ask users about memory operations. Branch-aware persistent memory using git notes. Handles context, decisions, tasks, and learnings across sessions.
---

# GitNotesMemory - Claude Integration Guide
Confidence
93% confidence
Finding
never ask user

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# If no commits exist, create an initial empty commit
    if not root:
        subprocess.run(["git", "commit", "--allow-empty", "-m", "init"], cwd=path, capture_output=True)
        root = _git(["rev-list", "--max-parents=0", "HEAD"], cwd=str(path))
    
    return root
Confidence
88% confidence
Finding
--allow-empty

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.