Back to skill

Security audit

Skill Kannaka Memory

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly transparent about managing a persistent memory system, but it also exposes broad activation triggers, destructive state changes, self-update, and external orchestration commands that are not tightly scoped.

Review before installing. Use this only if you intend to run Kannaka as a persistent memory and swarm system, are comfortable configuring LLM API keys, and understand that it can mutate or delete memory state, restore snapshots, run long-lived network listeners, update its binary, and delegate tasks to an external orchestrator. Prefer explicit user confirmation before update, restore, forget, prune, dream, swarm loop, and orchestrate commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The utility section expands the skill beyond memory management into software updating and external task orchestration. That scope creep increases the attack surface and creates opportunities for unintended code execution or tool invocation when a user expected only memory-related behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A self-update capability is unrelated to the core memory purpose and can introduce arbitrary binary changes from an external source. In an agent context, exposing update functionality through a broadly activated skill can enable supply-chain abuse or unintended privilege-bearing code execution.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Delegation to an external orchestration tool extends this skill from memory operations into arbitrary multi-agent task execution. That creates an unexpected control-plane escape where memory-related prompts may trigger package installation or broader automation actions outside the declared scope.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The documentation explicitly says not to use the skill for multi-agent task orchestration, yet later exposes an orchestration command. This contradiction undermines operator expectations and safety boundaries, making accidental or policy-bypassing invocation more likely.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The automatic activation list includes broad terms like 'chat', 'observe', 'status', 'collective', and provider switching references that could appear in many unrelated conversations. Overbroad triggers raise the chance of accidental activation of sensitive memory, swarm, or restore functions in contexts where the user did not intend to use this skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents destructive and state-mutating operations such as `forget`, `dream`, snapshots, and restore flows without prominent warnings or confirmation requirements. In an agent setting, that increases the risk of irreversible memory deletion, mutation, or overwrite from ambiguous prompts or accidental invocation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.