Unified Memory Architect

Security checks across malware telemetry and agentic risk

Overview

The skill mostly describes a memory search system, but it also includes broad agent-life, persistent-memory, heartbeat, messaging, and deletion instructions that go beyond the advertised scope.

Install only if you are comfortable with this skill shaping persistent assistant identity and memory behavior, not just providing memory search. Review AGENTS.md and BOOTSTRAP.md before use, disable or tightly scope heartbeats and messaging integrations, avoid shared-context access to MEMORY.md, and back up memory data before following uninstall or rollback commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (11)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The policy is internally inconsistent: it first says anything leaving the machine requires asking first, then explicitly allows autonomous web, calendar, and related external checks. In an agent setting, contradictory permission boundaries can be exploited or misapplied, causing unauthorized outbound actions or data exposure under the guise of 'safe to do freely.'

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The document correctly restricts MEMORY.md from shared contexts, but later heartbeat instructions encourage reviewing and updating MEMORY.md without restating or enforcing that boundary. This creates a context-leak risk where an automated background workflow may load or modify sensitive personal memory during a shared or group session.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The bootstrap instructs the agent to offer linking external messaging channels like WhatsApp and Telegram even though the skill's stated purpose is identity/bootstrap setup. That expands the trust boundary and can lead to unnecessary collection of contact/account data or movement of the interaction onto less controlled channels without a clear user-need justification.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The heartbeat trigger is described broadly as any message matching a configured prompt, which can allow accidental or adversarial invocation. In shared or noisy environments, this may cause the agent to perform unintended proactive checks, file edits, or outbound notifications without an explicit, high-assurance trigger.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instruction to delete BOOTSTRAP.md after reading authorizes file deletion without confirmation or user visibility. Even if intended as cleanup, it normalizes destructive behavior and could remove evidence, setup instructions, or user-authored context that should be preserved.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill encourages proactive creation and modification of memory files without asking, which grants broad write authority over persistent state. That can lead to silent data retention, privacy issues, prompt persistence, or corruption of user records without informed consent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The file directs the agent to write user-related details such as name, preferred address, timezone, notes, values, boundaries, and preferences into persistent memory files without any minimization, consent, or privacy warning. This creates a real risk of over-collection and retention of personal or sensitive profile data in a fresh workspace where the user may not realize information is being stored.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The instruction to delete BOOTSTRAP.md is a destructive action presented as part of normal completion, with no confirmation step or safety check. While the target file is not highly sensitive by itself, normalizing silent deletion can lead to unintended data loss or unsafe file operations if the instruction is generalized by the agent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises storage, querying, and exposure of both processed and raw memory content, including dream data, but provides no privacy, consent, access-control, or data-handling warnings. In an agent ecosystem, this can lead users to ingest or query sensitive personal content without understanding disclosure risks, increasing the chance of unintended data leakage through CLI output, APIs, logs, or downstream integrations.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The uninstall section includes recursive deletion commands that can permanently remove directories, but it does not warn users about data loss, the need to verify the working path, or the scope of the deleted content. In installation documentation for a skill, this is dangerous because users may copy-paste commands without understanding that `rm -rf memory/` could erase local data associated with the tool.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The rollback instructions tell users to run `rm -rf memory`, which is a destructive operation, but the document does not explicitly warn about data loss or stress verifying the backup before deletion. In a maintenance guide, readers are likely to copy commands directly, so omission of safety checks increases the chance of accidental loss of production data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal