Back to skill

Security audit

AgentMem

Security checks across malware telemetry and agentic risk

Overview

AgentMem appears to be a real cloud-memory skill, but it needs review because it encourages third-party persistence and public sharing of agent memories without strong user-control or privacy safeguards.

Install only if you intentionally want agent memories sent to AgentMem's cloud service. Use synthetic data in the demo, avoid storing secrets, credentials, private user details, regulated data, or raw conversation context, and disable public=true plus scheduled memory sync unless you have explicit approval and understand retention, deletion, and public visibility.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents executable shell commands and network-capable curl usage but does not declare corresponding permissions. This can cause operators or agent frameworks to underestimate the skill's ability to transmit data externally and perform actions beyond simple passive documentation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The stated purpose is cloud memory, but the documented behavior also includes public posting, reading a public feed, service statistics, and payment-related operations. This mismatch increases the risk of unsafe adoption because users may enable the skill expecting private memory storage while it also supports broader data exposure and unrelated external interactions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill exposes a public-memory feature and public-feed access even though its manifest frames it as cloud memory storage for agents. In context, this makes the capability more dangerous because agents may store internal notes or user data under the assumption of private persistence, then accidentally publish them.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Public content publication is not clearly justified by the core purpose of agent memory and creates a materially different risk profile from private storage. In this context, the feature can turn routine memory writes into unintended disclosure if an agent or user misunderstands the public flag or share URL behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages storing user preferences, learned facts, decisions, and session state in an external service without guidance on consent, minimization, or sensitivity handling. In an agent context, these categories commonly include personal data, secrets, internal reasoning, or regulated information that should not be exported by default.

Missing User Warnings

High
Confidence
98% confidence
Finding
The public-memory feature lacks a prominent warning that content becomes publicly accessible via a shareable URL and visible through a public feed. That omission is dangerous because agents may publish sensitive prompts, user data, or internal notes while assuming they are just saving memory entries.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs a write of a publicly visible memory by sending data to a remote API with "public": true, but provides no explicit warning or confirmation beyond a simple status message. In an agent or automation context, this normalization of public posting can lead users to transmit content externally without understanding that it may be discoverable by others.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instructions normalize persistent export of user preferences and learned facts to a third-party cloud service without consent or sensitivity limits. In the context of an agent skill, this creates a straightforward data-exfiltration path for personal or confidential information gathered during normal interaction.

Ssd 3

Medium
Confidence
98% confidence
Finding
The heartbeat workflow instructs the agent to read local memory files, extract insights, and upload them on a schedule, creating an automated exfiltration channel from local storage to a remote service. This is especially risky because scheduled summarization can silently propagate secrets or sensitive project information without a human review step.

External Transmission

Medium
Category
Data Exfiltration
Content
echo ""
echo "3. Storing a PUBLIC memory..."
PUBLIC_RESULT=$(curl -s -X PUT "$API/memory/public-thought-$TEST_KEY" \
  -H "Authorization: Bearer $KEY" \
  -H "Content-Type: application/json" \
  -d '{"value": "Agents remembering things is pretty cool!", "public": true}')
Confidence
94% confidence
Finding
curl -s -X PUT "$API/memory/public-thought-$TEST_KEY" \ -H "Authorization: Bearer $KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.