Back to skill

Security audit

Brain Memory

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed persistent memory tool, but it gives agents broad cross-session access to personal memory files with weak user-control boundaries.

Install only if you intentionally want a persistent memory system shared across agents. Treat ~/.brain as sensitive data: review what is stored, avoid secrets, understand whether sync is enabled, and look for clear controls to inspect, delete, disable, or scope memories before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill earlier mandates using the brain CLI for operations and not writing files by hand, but then instructs direct modification of ~/.brain/contexts.json. Direct file writes bypass any validation, locking, schema enforcement, or audit behavior the CLI may provide, creating integrity and corruption risks in a shared persistent store.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document contains contradictory instructions: use the CLI for every operation and never write memory files manually, yet later it directs direct writes to ~/.brain/contexts.json. In a security-sensitive persistence system, such inconsistency is dangerous because it encourages agents to bypass controlled interfaces and perform raw filesystem mutation in a global shared state.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger 'when asked to remember, or when past context would help' is overly broad and invites unsolicited retrieval of stored personal data. In a global cross-agent memory store, ambiguous recall criteria can cause unnecessary exposure of prior sensitive context and increase privacy leakage risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill establishes a shared persistent store under ~/.brain for multiple agents but does not require a clear user-facing warning about persistence, cross-session retention, and filesystem impact before use. This can lead to users unknowingly having personal or professional information stored durably and made available to other agents.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instruction to 'store immediately, report after' and not ask for confirmation when the user asked to memorize encourages silent persistence of user-derived information without a fresh warning that files will be written. In practice this increases the risk of storing sensitive, mistaken, or contextually inappropriate data in a durable shared memory system.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill directs the agent to persist user-derived information across sessions in a shared global store, which creates a natural-language data retention and secondary disclosure risk. Even without secrets, accumulated preferences, decisions, and summaries can reveal sensitive behavioral or professional context over time.

Ssd 3

Medium
Confidence
96% confidence
Finding
Keeping a rolling log of session summaries for future recall is a direct retention mechanism for prior interactions. In a shared memory context, these summaries can compound privacy risks by preserving natural-language traces of conversations that may later be surfaced to other agents or tasks.

Session Persistence

Medium
Category
Rogue Agent
Content
Markdown files with YAML frontmatter (type, cognitive type, strength, decay,
salience, confidence, tags, associations). Recalled memories get stronger;
ignored ones fade. Use the `brain` CLI for every operation — never compute
scores or write memory files by hand.

## Recall (when asked to "remember", or when past context would help)
Confidence
90% confidence
Finding
write memory files by hand. ## Recall (when asked to "remember", or when past context would help) 1. Run the deterministic recall engine: ```bash brain recall "<query>" --project <project> --

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.