Potential exfiltration
Warn
- Finding
- Sensitive-looking file read is paired with a network send.
- Skill content
const content = fs.readFileSync(event.sessionFile, 'utf-8');
Spark Memory
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a cloud-backed memory plugin that largely does what it claims, but installing it means conversation-derived information may be sent to Zellin’s service.
This plugin is coherent with its description: it is designed to remember information across sessions using Zellin’s cloud API. The main thing to consider is privacy, not mismatch: auto-capture is enabled by default, memories are org-scoped, and conversation-derived facts or summaries may be uploaded to https://zellin.ai/api unless you change the API URL. Review whether you are comfortable sending that information to this service, and consider disabling autoCapture if you only want manual memory storage. Confidence is medium because the provided index.ts content was truncated, so the full runtime behavior could not be completely reviewed.
SkillSpector
By NVIDIA
SkillSpector findings are pending for this release.
Static analysis
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
No visible risk-analysis findings were reported for this release.