Back to skill

Security audit

Chromadb Memory Pub

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local memory skill that searches a configured ChromaDB collection and adds relevant results to agent context.

Install only if you want automatic long-term memory recall. Keep Ollama and ChromaDB local or on a trusted private network, avoid indexing secrets or sensitive documents, periodically review/delete stored memories, pin the ChromaDB Docker image instead of using latest, and set autoRecall to false if you prefer manual search only.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes network-dependent behavior to Ollama and ChromaDB but does not declare corresponding permissions. Undeclared network capability weakens operator visibility and policy enforcement, making it easier for a skill to send user content to services without an explicit trust decision.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README prominently advertises automatic memory recall and injection into every agent turn, but it does not clearly warn users about the privacy and data-handling implications of continuously retrieving and surfacing past content. In a memory plugin, this can cause sensitive prior prompts, secrets, personal data, or internal context to be unexpectedly reintroduced into later interactions, increasing the risk of unintended disclosure or over-retention.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that before every turn it queries ChromaDB with the user's message and injects retrieved memories into context, but it does not prominently warn that each prompt is transmitted to local services and that prior stored content may be reintroduced automatically. This can expose sensitive prompt contents to local daemons and can cause unintended disclosure or prompt-injection-style influence from untrusted memory records on every interaction.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The auto-recall hook sends the full agent prompt to the local Ollama embedding service and then uses that embedding to query ChromaDB on every turn. Even though the services are described as local/self-hosted, prompts may contain secrets, personal data, or sensitive operational details, and this transmission happens automatically without an explicit just-in-time warning or consent boundary.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The manifest explicitly states that relevant memories are automatically injected before each turn, but it does not define any scope limits, exclusions, or user-consent boundaries. In a memory skill, this can cause sensitive prior content to be surfaced into unrelated prompts or exposed to downstream tools/models unexpectedly, increasing prompt-context privacy and data-minimization risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The plugin advertises automatic context injection from long-term memory but provides no warning about privacy, retention, or data-handling consequences. Users may unknowingly store and re-insert sensitive data into later interactions, which is especially risky because the skill is designed to persist and reuse conversational content over time.

Ssd 3

Medium
Confidence
94% confidence
Finding
This plugin automatically retrieves prior memory content, including session transcripts and indexed files, and prepends excerpts into future agent turns as natural-language context. That creates a cross-session data leakage channel: sensitive content from unrelated tasks can be surfaced to the model or exposed in downstream outputs when similarity matching is overly broad or when prompts trigger recall unintentionally.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.