Back to skill

Security audit

pg-memory

Security checks across malware telemetry and agentic risk

Overview

This is a real PostgreSQL memory skill, but it stores sensitive agent history and includes overbroad database setup, network exposure guidance, and unsafe backup/restore paths that need review before use.

Install only if you intentionally want agents to persist searchable conversation and tool history. Use a dedicated least-privilege PostgreSQL role, restrict PostgreSQL to localhost/VPN or specific trusted IPs, avoid 0.0.0.0/0 examples, lock down config files containing passwords, and review backup/restore scripts before using them with untrusted paths or shared databases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (55)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Add compression if requested
    if compress:
        cmd_str = " ".join(cmd) + f" | gzip > {backup_path}"
        result = subprocess.run(cmd_str, shell=True, capture_output=True, text=True)
    else:
        # Run pg_dump and redirect to file
        with open(backup_path, 'w') as f:
Confidence
99% confidence
Finding
result = subprocess.run(cmd_str, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"-d", "postgres",
            "-c", f"DROP DATABASE IF EXISTS {db_name};"
        ]
        subprocess.run(cmd, capture_output=True)
        
        cmd = [
            "psql",
Confidence
92% confidence
Finding
subprocess.run(cmd, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"-d", "postgres",
            "-c", f"CREATE DATABASE {db_name};"
        ]
        subprocess.run(cmd, capture_output=True)
    
    # Restore from backup
    is_compressed = str(backup_path).endswith('.gz')
Confidence
88% confidence
Finding
subprocess.run(cmd, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if is_compressed:
        cmd_str = f"gunzip -c {backup_path} | psql -h {db_host} -p {db_port} -U {db_user} -d {db_name}"
        result = subprocess.run(cmd_str, shell=True, capture_output=True, text=True)
    else:
        cmd = [
            "psql",
Confidence
99% confidence
Finding
result = subprocess.run(cmd_str, shell=True, capture_output=True, text=True)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guide explicitly recommends `listen_addresses='*'` and includes an example `pg_hba.conf` rule of `0.0.0.0/0 md5`, which exposes PostgreSQL on all interfaces and potentially to the entire internet. For a memory skill that stores agent context and observations, broad network exposure materially increases the attack surface and risks unauthorized access, credential attacks, and data theft.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill introduces a natural-language query path backed by a local Ollama service that is not reflected in the core manifest description. Even when local, this adds a separate model-processing surface for stored memory data and changes the trust boundary in ways users may not anticipate.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation adds automated task/assignment capture and protocol enforcement behavior beyond ordinary memory storage/retrieval. This materially changes data-retention behavior by mandating persistent recording of user assignments and related metadata without equivalent top-level disclosure.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The setup script fetches executable skill code from GitHub during installation, which expands its behavior from local client setup into remote code acquisition. This creates a supply-chain risk: a compromised repository, DNS/TLS interception in a weak environment, or unexpected upstream changes could cause unreviewed code to be installed and later executed.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The installer goes beyond preparing the skill and attempts to install and start PostgreSQL services automatically on macOS. That expands the trust boundary from skill setup into host-level service management, which can unexpectedly modify the system state and create background services the user did not explicitly approve.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script runs `createuser -s "$DB_USER"`, which grants PostgreSQL superuser privileges to the configured account. If that account is compromised or reused broadly, an attacker gains full administrative control over the PostgreSQL instance, far exceeding what a memory skill needs.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation describes generating SQL from natural language via an LLM and then executing it, which creates a clear LLM-to-SQL injection and overbroad query risk. If prompts or stored content can influence query generation, the system may execute unintended reads, destructive statements, or privacy-impacting broad queries against the memory database.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function signature accepts `p_agent_id` but never uses it to scope results, so callers may incorrectly assume observation searches are tenant- or agent-isolated when they are not. In a multi-agent memory system that stores conversation summaries, notes, and potentially sensitive operational context, this can cause cross-agent data exposure and unauthorized retrieval of another agent's observations.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
When a specific session_key is supplied, the code still calls mem.search_exchanges('', days=1, limit=20) and returns those results without filtering by session. In a multi-agent or multi-user memory system, this can restore or expose exchanges from unrelated sessions, causing cross-session data leakage and context contamination.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The code writes a session marker containing session_key, timestamp, and agent label to a fixed path in /tmp. Temporary directories are commonly shared and susceptible to symlink attacks, overwrites, and unintended disclosure to local users or processes, so this creates unnecessary local persistence of session metadata.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The comment indicates that session-specific filtering should occur, but the implementation returns unfiltered cross-session exchanges. This discrepancy is dangerous because maintainers may wrongly assume isolation exists, while the actual behavior can leak sensitive memory across users, agents, or channels.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The skill advertises a PostgreSQL memory system with markdown backup, but also implements full database backup/restore plus JSON import/export of all observations. In an agent skill, this materially expands capability from memory storage into bulk exfiltration and destructive administrative operations, increasing the blast radius if the skill is invoked unexpectedly or by prompt abuse.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The natural-language query features introduce LLM-driven SQL generation (`ask`, `preview_sql`, external NLQueryEngine) beyond the stated storage purpose. In an agent setting, LLM-to-SQL is dangerous because prompt-controlled text can induce overly broad data access, schema probing, or unsafe query generation, especially when paired with a live database connection.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The restore routine claims session-specific restoration, but actually loads broad recent observations and only loosely filters exchanges. In a multi-agent or multi-user deployment, this can leak unrelated historical context into a new session, exposing data across sessions or users and causing confidentiality violations.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script exports full database records to a filesystem path outside PostgreSQL, creating a second persistence channel for potentially sensitive agent memory. In this skill context, the data likely contains prompts, tool outputs, and session content, so writing it to an unmanaged shared volume meaningfully increases exposure, retention drift, and the chance of unauthorized access or backup-policy bypass.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The archive flow detaches and drops a partition immediately after export, making permanent data deletion part of a routine maintenance command without any integrity verification, recovery safeguard, or explicit disclosure in the skill description. If the export is incomplete, corrupted, written to an insecure location, or triggered by mistake, this can cause irreversible data loss and weaken auditability of agent memory.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The migration expands the skill from a PostgreSQL memory store into configuring LLM-driven natural-language-to-SQL behavior, which materially changes the trust and data-exposure boundary. In a memory system that may hold sensitive agent context, enabling NL-to-SQL features without explicit consent, scoping, or disclosure can cause confidential database contents or schema context to be sent to a model or queried in unintended ways.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The default settings actively enable a model-backed NL-to-SQL path by prepopulating model, timeout, result-count, and temperature values, making the feature ready for use without an informed user action. In the context of an agent memory backend, this increases the risk of unintended data disclosure and overbroad query generation against stored memory content.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script grants the application database user CREATEDB, which exceeds the stated needs of a structured memory service and violates least privilege. If that credential is compromised, an attacker can create arbitrary databases and expand abuse on the PostgreSQL instance beyond the intended memory workload.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The setup guidance tells operators to use `listen_addresses='*'` and `host all all 0.0.0.0/0 md5`, which exposes PostgreSQL to the entire internet if followed literally. In the context of a multi-agent memory backend containing potentially sensitive agent data, this significantly increases the attack surface for password attacks, exploitation of weak credentials, and unintended data exposure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The migration instructions direct users to dump and transfer the full database to a remote host without warning that the database may contain sensitive memory, prompts, identifiers, or other confidential agent data. Although `scp`/`ssh` are encrypted in transit, the guide omits data-classification, destination-trust, and at-rest handling concerns, which can lead to accidental exfiltration to less-secure systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal