Memory Stack Core

Security checks across malware telemetry and agentic risk

Overview

This memory skill is not deceptive or destructive, but it automatically saves chat details and sometimes full exchanges into plaintext workspace files.

Install only if you want persistent local chat memory. Keep the memory directory out of git and shared backups, disable auto_capture unless needed, avoid using it in sessions containing secrets or regulated data, and periodically inspect or delete memory/wal.jsonl and memory/working-buffer.md.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The manifest exposes only a limited tool surface, while the documentation claims additional automatic hooks, recovery helpers, wrap-up integration, and standalone scripts. This is dangerous because undeclared or ambiguously documented behavior reduces auditability and makes operators more likely to enable the skill without understanding its full data-handling and persistence behavior.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The auto-capture routine scans arbitrary message text for paths, URLs, decisions, preferences, corrections, and numeric values, then persists matches to disk without meaningful scope restriction or consent. For a memory-resilience layer, this creates unnecessary data collection and retention of potentially sensitive user content that exceeds the minimally required functionality.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The wal-auto mode will read any filesystem path provided on the command line and process its contents, effectively granting general file-ingestion capability unrelated to core WAL durability. In an agent setting, this can be abused to ingest sensitive local files into the WAL and make their contents persist for later retrieval.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The auto-capture triggers are extremely broad—covering common patterns like numbers, proper nouns, preferences, and corrections—so the skill would persist a large fraction of ordinary user messages. In context, this increases the chance of unintentionally storing secrets, personal data, internal paths, and other sensitive material to workspace files without meaningful user intent or review.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The description of automatic scanning says the skill 'scans human messages for specifics' but does not define clear boundaries, exclusions, or failure modes. In a memory/persistence skill, that ambiguity is dangerous because it normalizes surveillance-like capture of user content and leaves agents/operators without a principled limit on what will be stored.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill persistently stores specifics and even full exchanges to workspace files, but the description does not prominently warn users that sensitive conversation content may be retained across sessions. This is dangerous because users may disclose credentials, personal data, proprietary file paths, or internal URLs believing they are transient, when the skill is designed to keep them.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script automatically stores message-derived content in local WAL and buffer files but provides no user-facing disclosure, consent, or visibility at the time of capture. Silent persistence increases the risk of collecting sensitive information that users and operators may not realize is being retained on disk.

Ssd 3

High

Confidence: 95% confidence
Finding: The instructions direct the agent to persist broad user-provided specifics and, at higher context usage, append full user and assistant exchanges to a working buffer. That creates a clear data-retention risk: sensitive material can accumulate in plaintext workspace files and later be surfaced, copied, or exposed through unrelated tasks, tools, or repository sharing.

Ssd 3

Medium

Confidence: 87% confidence
Finding: The recovery and wrap-up flow explicitly encourages re-reading prior-session logs and buffers to reconstruct context. In a persistence skill, this increases the chance that previously supplied sensitive information is resurfaced in a later, different context, potentially violating least-privilege expectations and causing accidental disclosure.

Ssd 3

Medium

Confidence: 92% confidence
Finding: Captured message content is written to disk and later exposed through read interfaces such as wal_read and buffer_read, creating a straightforward data retention and replay channel. This is dangerous because sensitive details extracted from user messages can be recovered later by other components or sessions with access to these tools.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The working buffer intentionally persists arbitrary content and can replay it on demand, which is functionally aligned with a memory component but still creates a confidentiality risk if secrets, personal data, or unrelated prompts are written there. Because the content is unstructured and unfiltered, accidental storage and later disclosure are plausible in normal use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal