Back to skill

Security audit

Agent Memory Tools

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real agent-memory tool, but it needs review because it can persist workspace content and optionally send memory data to remote services despite prominent local-only claims.

Install only if you are comfortable with a tool indexing and retaining workspace knowledge. For local-only use, leave convexUrl unset, avoid the openai/openrouter presets, set MEMORY_WORKSPACE narrowly, review or delete the .cache memory files as needed, and avoid --watch or platform auto-trigger setup unless continuous ingestion is intentional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (32)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises substantial capabilities including shell execution, reading and writing workspace files, and environment access, but does not declare permissions. This undermines informed consent and review because users may invoke a skill with broader access than the manifest suggests, especially given features like auto-ingest and local storage updates.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is described as fully local and without cloud dependency, but the documentation shows optional Convex remote storage and OpenAI-compatible provider support, plus installation and logging behaviors not surfaced in the summary. This mismatch can mislead users into exposing sensitive memory data to remote services or allowing broader system modification than expected.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README makes strong safety and deployment claims such as '100% local' and 'no cloud dependency', but later documents optional Convex cloud storage and hosted-model presets like OpenAI/OpenRouter. This can mislead users and downstream agents into assuming no data can leave the machine, which is risky for a memory tool that processes workspace content and extracted facts.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The 'zero cost' and '100% local' framing is contradicted by later references to cloud and paid hosted-model options. While this is primarily a documentation integrity issue, it can still create unsafe assumptions about privacy, billing, and operational behavior when users or agents select nonlocal presets.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
Claiming the skill runs '100% local' with 'no cloud dependency' is materially contradicted by support for Convex and OpenAI-compatible APIs. In a memory-management skill, this is especially risky because recalled facts, workspace content, and extracted knowledge may include sensitive internal data that users believe will never leave the machine.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation repeats a local-only assurance while also documenting OpenAI and Convex options, creating inconsistent security expectations. Such contradictions increase the chance that operators deploy the skill under an incorrect trust model and process confidential workspace data with remote components.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The benchmark advertises that it indexes a synthetic workspace and evaluates recall quality, but the implementation instead reads the preselected source file for each question and checks for expected keywords. This creates a misleading assurance signal: maintainers or users could believe retrieval/indexing works correctly when the benchmark never exercises the real pipeline, allowing serious defects in memory recall to go undetected.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The comments claim the code uses fact extraction/search and simulates recall, but the logic simply opens the known-answer file and grades that raw content. In a memory/search skill, this is especially dangerous because it can mask broken retrieval, indexing, ranking, or contradiction-detection behavior while producing deceptively strong benchmark results.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The config ships cloud provider presets for OpenAI and OpenRouter even though the skill metadata claims it runs '100% local via Ollama' with 'no API keys, no cloud dependency'. This creates a real risk of unintended data egress if a preset is selected later, because workspace content, prompts, or embeddings could be sent to external services contrary to user expectations.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The script prepends writable or user-controlled locations to PATH before executing an external binary, which can cause a malicious 'qmd' program in those directories to be executed instead of the intended tool. In an agent skill that routinely performs searches, this expands execution trust to ambient local files and increases the chance of PATH hijacking or unintended code execution.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest claims the skill runs 100% local with no cloud dependency, yet this file conditionally sends facts and metadata to a remote Convex service whenever convexUrl is configured. That mismatch can cause sensitive workspace memory to be exfiltrated off-host under false user expectations, making the behavior materially more dangerous in a memory-management skill.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill is described as local-memory tooling, but this code executes an external program to perform outbound network requests. Even if not directly exploitable as command injection, the hidden network capability increases risk because fact contents and metadata can leave the local environment in ways users may not expect.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill description says it runs 100% locally with no cloud dependency, but the code supports arbitrary OpenAI-compatible base URLs. That mismatch can cause users to unknowingly send prompts, memory data, or embeddings to remote services, weakening consent and trust assumptions around sensitive workspace content.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The recall pipeline automatically logs raw user questions plus retrieval metadata to disk, creating persistent storage of potentially sensitive prompts and workspace-derived usage patterns. In a memory/search tool, users are likely to ask about secrets, incidents, credentials, or internal documents, so silent retention expands the data exposure surface beyond the stated recall function.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The setup script performs a network installation step even though the skill description emphasizes fully local operation with no cloud dependency. While installing Ollama may be operationally necessary, automatically reaching out to a remote host and executing installer logic expands the trust boundary and can surprise users who expect strictly local behavior.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
Automatically installing third-party software from the network is broader than needed for a memory-management skill because it gives the setup script authority to modify the host system outside the skill's core function. In this context, the script is not merely configuring local files; it is introducing privileged supply-chain risk through remote bootstrap behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes automatic workspace scanning and ingestion of file changes without warning that this creates or updates persistent memory stores and monitors local files. In the context of an agent memory skill, that behavior is more sensitive because it can silently collect, retain, and surface data from the workspace, including potentially confidential content.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger language is very broad ('memory recall, fact extraction, knowledge search, workspace indexing'), which can cause the platform to invoke the skill in situations the user did not specifically intend. Because the skill can scan files, extract facts, and persist them, over-triggering may lead to unnecessary ingestion or retention of sensitive workspace content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The description does not clearly warn that the skill can auto-ingest modified workspace files and store extracted facts, embeddings, and graph data. For a memory tool, this omission is significant because users may not realize local documents are being continuously processed and retained, increasing privacy and data-minimization risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends user-supplied text to an LLM via call_llm_json without any explicit disclosure at the point of use. Even though the skill description says it runs locally via Ollama, this file does not enforce local-only routing or warn users that sensitive file contents, stdin, or command-line text will be processed by a model, creating privacy and data-handling risk if configuration points elsewhere or users are unaware.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When --store is used, extracted facts are persisted to agent memory without a strong user-facing warning that data may be stored durably, possibly across sessions and on different backends. In a memory-management skill, this raises meaningful privacy and retention concerns because conversations or documents can be transformed into durable facts and kept beyond the user's immediate expectation.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
User-provided facts are persisted to a local JSON file in the workspace cache without any visible disclosure, retention policy, or permission boundary. In a memory tool, stored facts may include sensitive workspace or personal data, so silent persistence creates privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code sends fact contents, category, agent, confidence, and source to a remote Convex endpoint without any visible disclosure or consent flow in the implementation. Because the skill manages agent memory, those payloads may contain sensitive workspace knowledge, making undisclosed transmission especially risky.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The function sends workspace markdown content to an LLM for entity extraction without any explicit user-facing notice, consent check, or visibility into what files are being transmitted. Even though the skill advertises local Ollama usage, this code path still forwards potentially sensitive workspace content to another processing component, and misconfiguration or future backend changes could expose private data unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The incremental update path automatically reads changed markdown files and sends their contents to the LLM, which increases privacy risk because it can happen implicitly during auto-ingest without a clear user prompt. This is especially sensitive because changed files may contain newly added secrets, notes, credentials, or internal project data that users do not expect to be processed automatically.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.