Back to skill

Security audit

agent-memory

Security checks across malware telemetry and agentic risk

Overview

This is a local agent-memory tool that intentionally stores facts, lessons, and entity details on disk; the privacy risk is real but matches the stated purpose and is disclosed.

Install only if you want durable local agent memory. Do not store secrets, credentials, regulated data, or sensitive personal details unless you have appropriate consent and controls. Review or delete ~/.agent-memory/memory.db periodically, use a custom protected path or :memory: for testing, and be cautious about exposing export_json output to other tools or prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly promotes storing persistent user preferences, relationship context, and personal attributes across sessions, but it does not warn users about privacy, consent, retention, or sensitivity handling. In an agent-memory skill, this omission is materially risky because developers may deploy it to retain personal data by default without implementing safeguards, increasing the chance of overcollection, inappropriate retention, or accidental disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly promotes persistent storage of facts, lessons learned, and entity information across sessions, but it does not warn users that conversation-derived data may be written to disk in a local database. This creates a real privacy and data-governance risk because users or downstream agents may store sensitive personal, confidential, or regulated information without informed consent or retention controls.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The example explicitly initializes persistent storage at a local filesystem path under /tmp and then stores potentially sensitive personal and operational information such as a boss's preferences, meeting schedule, and project details. While this is presented as sample code rather than overtly malicious behavior, it can normalize insecure handling of sensitive data and may lead users to persist real secrets or personal data without understanding retention, access control, or cleanup implications.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill persistently stores user-provided memories under the user's home directory without any consent, notice, retention policy, or access control. In an agent context, this can silently accumulate sensitive conversation data across sessions, increasing privacy risk if the host is multi-user, compromised, or the agent stores secrets and personal data unintentionally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The export_json function returns all persisted facts, lessons, and entities in a single structure with no authorization, confirmation, redaction, or sensitivity filtering. In an agent skill, any caller path that exposes this method could exfiltrate the full memory contents, including personal details, inferred preferences, or sensitive operational context.

Ssd 3

Medium
Confidence
88% confidence
Finding
The remember function accepts arbitrary user content and persists it without classification, minimization, or restrictions on sensitive data. In an AI memory skill, users may naturally provide credentials, health details, financial information, or internal business facts, which then become durable and potentially retrievable or exportable later.

Ssd 3

Medium
Confidence
83% confidence
Finding
The skill is explicitly designed to track people and their attributes across sessions, which materially raises privacy risk because it encourages long-term storage of personal profiles. In this context, the feature set makes the issue more dangerous than a transient cache because the retained data may include roles, preferences, timezones, and linked facts about identifiable individuals.

Ssd 3

High
Confidence
95% confidence
Finding
A one-shot export of all facts, lessons, and entities creates a concentrated exfiltration primitive for the entire memory store. Because this module is for persistent cross-session agent memory, the skill context makes this especially dangerous: a single misuse or prompt-induced tool call could disclose a large corpus of sensitive historical user data at once.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.