Agent Memory Protocol

Security checks across malware telemetry and agentic risk

Overview

This is a coherent memory-management skill, but it gives agents broad automatic authority to persist user, project, and conversation data without clear consent, sensitivity limits, or deletion guidance.

Install only if you intentionally want agents to maintain long-term memory across sessions. Before enabling it, define what must never be stored, require confirmation for personal or sensitive details, review the optional qmd and LosslessClaw integrations, and make sure users know how to inspect, edit, exclude, and delete saved memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (19)

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The skill’s declared purpose is memory management, but it also instructs agents to update separate blackboard project-tracking files as a source of truth. This scope expansion increases the skill’s authority and persistence surface, making it easier for a memory-related trigger to cause unrelated state changes without clear user awareness.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The archival and compression sections go beyond storage hygiene and direct the agent to summarize conversations and manage context lifecycle. That broadens the operational scope from memory writes into conversation processing, increasing the chance of over-collection and unintended retention of user data.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The context-pressure and flush logic adds runtime session-management behavior that is not reflected in the manifest. In practice, this can cause the agent to persist information opportunistically under internal pressure thresholds rather than only when the user explicitly requests memory operations.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Directing writes to `.learnings/` and `TOOLS.md` extends the skill into additional persistence locations outside its stated memory-manager purpose. This makes data flow harder to audit and can cause hidden or unexpected modification of configuration-like knowledge stores.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document explicitly states that past conversations are compressed into a local SQLite database and retained, but it provides no privacy notice, retention guidance, or warning that sensitive user content may persist indefinitely. In a memory-management skill, silent persistence of conversational data increases the risk of collecting secrets, personal data, or regulated information without informed user awareness.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The guide instructs users to index memory/ and blackboard/ directories for semantic and keyword search, but does not warn that any sensitive information placed there becomes broadly retrievable via local search tooling. In this skill context, making agent memory searchable is expected, but the lack of an explicit warning can still lead to accidental overexposure of secrets or personal data stored in markdown files.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill declares very broad automatic activation for any memory-related operation and includes generic trigger phrases like 'remember this' and 'update memory'. In an agent environment, this can cause unintended invocation during ordinary conversation, increasing the chance of accidental persistence, protocol overreach, or memory writes without explicit user confirmation.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README promotes a persistent memory system for storing user information, preferences, entities, and session-derived data, but does not warn about privacy, consent, retention, or sensitive-data handling. This omission makes it more likely that operators or downstream agents will store personal or confidential information indefinitely without safeguards.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill declares that it auto-activates for broadly defined memory-related operations and lists generic trigger phrases, which can cause it to run in situations where the user did not explicitly consent to persistent storage. In a memory-management skill, that broad activation scope increases the chance of unintended writes of sensitive conversational content to disk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The description explains structured memory management but does not warn users that their information may be persisted to local Markdown files. Without a clear disclosure, users may share personal details believing they are ephemeral, creating privacy and consent risks.

Vague Triggers

High

Confidence: 91% confidence
Finding: The manifest description activates the skill for essentially any memory read, write, or update operation, creating a very broad interception surface. Overly broad scope increases accidental invocation and allows a single skill to govern many sensitive persistence actions without granular boundaries.

Vague Triggers

High

Confidence: 94% confidence
Finding: Trigger phrases like 'remember this' and 'update memory' are common-language expressions that may appear in normal conversation and can cause unintended activation. In a persistence-oriented skill, ambiguous triggers are especially dangerous because they can convert casual speech into durable storage actions.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: Conditions such as 'or similar' and broad runtime events make activation boundaries unclear. Ambiguous activation criteria are risky in a memory skill because they permit subjective interpretation by the agent and can lead to silent persistence of conversational content.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs agents to create and update persistent files across memory and blackboard paths without any prominent user-facing notice or confirmation mechanism. This undermines informed consent and can lead to unexpected durable changes to user-related data or project state.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The skill is explicitly designed to retain broad categories of user information, including identity, preferences, entities, and important events, which creates a persistent natural-language record of potentially sensitive data. Even without malicious intent, centralized retention increases exposure from accidental disclosure, oversharing, or later misuse by other tools and agents.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The classification rules operationalize persistence by directing the agent to write many classes of user and session-derived data into durable files. This makes the risk more concrete than a generic description because it provides a repeatable mechanism for storing personal context, relationships, events, and inferred patterns that may exceed user expectations.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The session reflection and flush checklist encourage systematic capture of corrections, progress, decisions, entity changes, and reusable patterns before compression, which increases the completeness and persistence of user/session data. In context, this makes the skill more dangerous because it is specifically designed to prevent information loss, including information the user may not expect to be retained long-term.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The skill broadly directs persistence of user preferences, habits, entities, deadlines, and other conversation-derived information without clear sensitivity limits or consent requirements. In context, this is dangerous because the skill is designed to capture personal and project data and can do so proactively during conversation.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The flush checklist instructs the agent to scan the conversation and record preferences, project progress, decisions, entity information, and corrections, enabling broad capture of user data at session boundaries or under context pressure. This creates a systematic mechanism for opportunistic data extraction and persistence beyond explicit user intent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal