Andrew Memory Layer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent long-term memory plugin, but it can persist user facts and send memory or conversation text to MiniMax when API mode is used.

Install only if you want an agent to keep long-term memory. Use local Ollama mode for private work, avoid saving secrets or confidential data, and review or remove the ~/.andrew-memory/data directory if you need to clear stored memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and relies on environment-variable access and network use (for `MINIMAX_API_KEY` and cloud LLM mode) but does not declare corresponding permissions. That creates a transparency and policy-enforcement gap: users or hosting platforms may assume the skill is local-only or lower-privilege than it really is, increasing the chance of unintended secret exposure or outbound data transmission.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill performs conversation distillation and semantic memory operations, and its documented `api` mode sends data to MiniMax, but the description does not warn users that conversation-derived memories may leave the local system. Because memory content can include sensitive personal facts, preferences, and identity data, this omission can lead to privacy violations and non-consensual third-party disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The memory-writing tool permanently stores caller-provided text and metadata without any built-in confirmation, consent boundary, or policy check. In a long-term memory skill, this creates a real privacy and integrity risk because an agent can persist sensitive, incorrect, or manipulative content about a user with no explicit user awareness at write time.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The identity-setting tool updates the plugin's persistent 'Core Identity' state from arbitrary input with no confirmation or authorization guard. Because identity data is meant to be foundational and reused across sessions, tampering or accidental overwrite can cause persistent persona drift, instruction contamination, or storage of highly sensitive profile information.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The distillation tool accepts whole conversations and stores extracted memories without any disclosure or consent gate. In this skill's context, that is especially risky because conversations commonly contain sensitive personal data, and automatic extraction increases the chance of retaining secrets, regulated data, or misleading summaries for future reuse.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The distill() path concatenates full conversation messages and sends them to either a local Ollama endpoint or the external MiniMax API via _callLLM() without any consent gate, redaction, or disclosure mechanism. In a memory skill, conversations are likely to contain sensitive personal data, so silent transmission to third-party or even localhost services creates a real privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: generateEmbedding() sends arbitrary memory text to localhost or to https://api.minimaxi.com/v1/embeddings, again without any disclosure, minimization, or policy check. Because this skill is specifically designed to store long-term user facts and identity data, embedding generation can export highly sensitive content outside the local database boundary.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The tool is explicitly designed to extract and retain key facts from full conversations, which creates a substantial natural-language data retention risk. Because this plugin is a semantic memory layer intended for long-term cross-session recall, retained conversation details may later be surfaced out of context, increasing privacy leakage and persistence of sensitive data.

External Transmission

Medium

Category: Data Exfiltration
Content: // API mode: MiniMax try { const response = await fetch('https://api.minimaxi.com/v1/embeddings', { method: 'POST', headers: { 'Content-Type': 'application/json',
Confidence: 90% confidence
Finding: fetch('https://api.minimaxi.com/v1/embeddings', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: } try { const response = await fetch('https://api.minimaxi.com/anthropic/v1/messages', { method: 'POST', headers: { 'Content-Type': 'application/json',
Confidence: 90% confidence
Finding: fetch('https://api.minimaxi.com/anthropic/v1/messages', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: // API mode: MiniMax try { const response = await fetch('https://api.minimaxi.com/v1/embeddings', { method: 'POST', headers: { 'Content-Type': 'application/json',
Confidence: 90% confidence
Finding: https://api.minimaxi.com/

External Transmission

Medium

Category: Data Exfiltration
Content: } try { const response = await fetch('https://api.minimaxi.com/anthropic/v1/messages', { method: 'POST', headers: { 'Content-Type': 'application/json',
Confidence: 90% confidence
Finding: https://api.minimaxi.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal