MCP Memory Service

Security checks across malware telemetry and agentic risk

Overview

This is a real memory plugin, but it enables broad automatic capture and reuse of tool output by default, which can retain and later expose sensitive information.

Install only if you want an always-on memory layer. Before enabling it, set autoCapture to false or restrict captureMatcher to a narrow allowlist, avoid using it around secrets or regulated data, and periodically review or delete stored memories. This review does not find evidence of malware or intentional exfiltration, but the default data-retention behavior is too broad to approve without user review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (20)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly advertises persistent memory, hybrid search, knowledge graph storage, and mistake notes, but provides no user-facing warning about what data may be captured, how long it is retained, or where it is reused. In an agent environment, this creates a real privacy and data-governance risk because users may disclose sensitive information without understanding that it will be durably stored and later surfaced.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The AGENTS.md states that auto-recall injects stored memories into future prompts, but does not warn that previously captured information may be reintroduced into later model context. This increases the chance of cross-session privacy leakage, unintended disclosure of sensitive past content, and propagation of stale or context-inappropriate data into unrelated conversations.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The file describes automatic fact extraction after tool calls and storage in SQLite without an explicit warning about background collection. Because tool outputs can contain credentials, personal data, internal documents, or other sensitive artifacts, silent post-tool capture materially raises the risk of over-collection and long-term retention of sensitive information.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README explicitly enables `autoCapture: true` and `autoRecall: true` for a persistent memory plugin, but provides no warning about privacy, retention, consent, or what kinds of data may be stored and resurfaced. In an agent memory context, this can lead to unintended collection and reuse of sensitive prompts, personal data, credentials, or proprietary information, making the operational risk real even though the issue is documentation/configuration-related rather than exploit code.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill advertises automatic capture of tool responses and automatic recall into future prompts without any visible consent, scoping, or trust-boundary controls. That creates a real risk of sensitive data retention and prompt injection persistence, where untrusted content captured from one interaction is later reintroduced into subsequent model contexts as if it were trustworthy memory.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Using a wildcard capture matcher means the plugin may ingest essentially any matching tool output, making the memory boundary overly broad. In a memory system with automatic recall, broad ingestion increases the likelihood that secrets, irrelevant data, or attacker-controlled text will be stored and later resurfaced into prompts, amplifying data leakage and indirect prompt injection risks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The hook automatically persists extracted content from arbitrary tool responses into storage with no consent gate, sensitivity check, or per-tool allowlist beyond a glob matcher. In an agent context, tool outputs often contain private user data, secrets, or third-party content, so silently retaining them creates a real privacy and data-governance risk even if the feature is intended for convenience.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code sends captured fact content to an embedding function before storage, which may involve transmission to an external embedding provider depending on implementation. Because the content is derived directly from tool results and there is no disclosure, filtering, or locality guarantee here, sensitive data could be exfiltrated to another service unintentionally.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The hook sends up to 500 characters of the user's prompt to the embedding function for semantic search without any visible consent, disclosure, or sensitivity filtering. If the embedding backend is remote or logs requests, user secrets, personal data, or confidential prompts may be disclosed to a third party during routine prompt handling.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The plugin logs the full resolved configuration during startup, and configuration objects commonly contain sensitive values such as API keys, database paths, tokens, endpoints, or feature flags that reveal internal deployment details. In a memory plugin context, logs may be broadly accessible to operators, aggregators, or other services, so emitting the entire config increases the chance of credential leakage and information disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This tool performs irreversible deletion of stored memory entries based solely on a caller-supplied hash, with no confirmation step, authorization check, or visible safeguard in this code path. In an agent context, a mistaken, manipulated, or unauthorized tool invocation could silently remove important state, causing integrity loss and disrupting future behavior.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The plugin enables auto-capture by default and sets `captureMatcher` to `*`, which means all tool activity may be persisted to memory unless explicitly restricted. In a memory service, this can unintentionally collect sensitive prompts, secrets, file contents, command output, or other high-risk data from unrelated tools, increasing data exposure and retention risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The hook automatically captures tool outputs and stores them as long-term memory without any notice, consent, or confirmation flow. Because tool responses may contain secrets, personal data, or other sensitive context, this creates a privacy and compliance risk by persisting data users may not expect to be retained.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code sends captured fact content into the embedding pipeline, which may involve external model processing depending on the embed() implementation. If sensitive tool output is embedded without disclosure or filtering, private data could be transmitted to another processing component or service unexpectedly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The hook automatically appends recalled memory content into the model prompt without any user disclosure, consent, or per-request confirmation. Because the injected memories may contain sensitive prior conversation data, this can silently broaden the prompt context and cause unintended disclosure to the model or downstream tools, especially when the current prompt is unrelated or attacker-influenced.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The tool persistently stores arbitrary user-provided content, tags, and metadata via storage.insert(...) without any visible consent, notice, or policy enforcement in this code path. In an agent setting, this can silently retain sensitive prompts, secrets, personal data, or erroneous information beyond the current session, increasing privacy, compliance, and data-retention risk.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The stated purpose of the hook is to automatically extract facts from tool responses and store them as memory entries. In an agent skill, tool outputs can easily include sensitive user prompts, search results, account data, internal documents, or API-returned secrets, so automatic retention without semantic filtering materially increases privacy exposure and downstream misuse risk.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The fact extraction logic preserves arbitrary sentences from strings and copies common text-bearing fields such as result, output, content, response, text, answer, and summary, then stores or logs them. This broad extraction strategy lacks semantic filtering and can capture sensitive fragments from nearly any tool response, making accidental retention and exposure likely in normal use.

Ssd 3

Medium

Confidence: 95% confidence
Finding: This hook is designed to persist arbitrary tool output as memory entries, which can retain sensitive information in plain language and later re-expose it through retrieval or logs. In an agent environment where tools may return credentials, internal documents, or personal information, automatic persistence materially increases data exposure risk.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The fact extraction logic stores sentences and key/value summaries from arbitrary string and object results using only length and type heuristics, with no checks for secrets, tokens, personal data, or confidential business content. That makes it easy for sensitive output from unrelated tools to be silently converted into durable memory records.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal