Back to skill

Security audit

Lancedb Memory

Security checks across malware telemetry and agentic risk

Overview

This is a local long-term memory helper that saves data on disk, with no evidence of exfiltration, hidden execution, or unrelated system access.

Install only if you want a local long-term memory store. Avoid saving secrets or sensitive personal data unless you are comfortable with durable local retention, and verify or change the hard-coded storage path before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The `add()` method writes arbitrary content and metadata into persistent memory with no user-facing notice, consent flow, or policy guardrails. In a memory-enabled agent context, this can result in silent retention of sensitive prompts, personal data, secrets, or conversation content, increasing privacy and data-governance risk if users are unaware that storage is occurring.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persists arbitrary memory content and metadata to a local LanceDB database without any consent flow, retention notice, or minimization controls. In an agent memory context, this can silently store sensitive prompts, secrets, personal data, or user-derived context on disk, increasing privacy and data exposure risk if the host is shared, backed up, or later accessed by other processes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persists arbitrary content and metadata to a local on-disk database without any consent, notice, or data-minimization controls. In an agent memory context, this can silently retain sensitive user inputs, secrets, or personal data longer than expected, increasing privacy and compliance risk if the host is shared, backed up, or later accessed by other components.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.