Back to skill

Security audit

Memory Dreaming

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built rather than deceptive, but it handles persistent memory, full chat archives, external summarization, and plaintext secrets in ways users should review carefully before installing.

Install only if you are comfortable with local long-term memory files and chat archives being created. Do not store passwords, tokens, API keys, or session secrets in MEMORY.md or daily notes. Avoid `--all` and silent nightly jobs until you have scoped approved channels, reviewed transcripts, configured exclusions, and decided whether external LLM summarization is acceptable or should be self-hosted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill markets itself as requiring 'no external service,' but later states that `conversation-summarise.js` sends raw conversation transcripts to OpenRouter/OpenAI-compatible APIs using keys loaded from environment files. That mismatch can cause operators to enable the skill under a false assumption of full locality, leading to unintended disclosure of sensitive chats, credentials, or private messages to third-party providers.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly treats passwords, tokens, API keys, SSH details, and similar secrets as memory items that should be retained and protected from automatic archival, but it provides no warning, minimization guidance, encryption requirement, or access-control expectation. In a persistence framework for agent memory, this normalizes long-term storage and propagation of highly sensitive credentials, increasing the chance of secret exposure through files, backups, logs, or later summarization and recall flows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The architecture describes automatic archival of full conversation transcripts and LLM-powered summarization across channels without warning that chat content may be stored long-term and sent for model processing. Because this framework is specifically designed for persistent cross-session memory, the absence of consent, privacy notices, retention controls, and sensitive-data filtering materially increases the risk of collecting and redistributing private or regulated communications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to archive and summarize conversations across all channels and sessions without any privacy notice, consent requirement, retention limit, or handling guidance for personal or sensitive data. This creates a real risk of collecting, transforming, and persisting user data in ways that violate least-privilege and data-minimization principles.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The documentation allows a natural-language conversational trigger to install a scheduled job without strong activation constraints or confirmation requirements. In an agent environment, broad trigger phrases can be invoked accidentally or through prompt injection/social engineering, causing persistent background automation to be installed without sufficiently explicit user intent.

Missing User Warnings

High
Confidence
95% confidence
Finding
This section documents silent background archiving and summarization of all channel conversations with delivery mode set to none and notes that the user should not be alerted unless something is broken. That creates a clear privacy and consent risk because sensitive conversation data may be collected, processed, and summarized without prominent notice, especially in multi-channel or multi-user contexts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The nightly dream cycle instructs the agent to prune stale entries from MEMORY.md and reintegrate or restructure memory content in an unattended background session. Automated modification of persistent memory without clear safeguards can corrupt important state, remove needed information, or let maliciously planted content become durable and trusted.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guidance explicitly encourages storing credentials, connection details, and configuration in persistent memory files without any safeguards, warning, or minimization guidance. In an agent memory system, that materially increases the chance of long-term secret retention, accidental disclosure in future prompts, repository leakage, or exposure through logs and backups.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Telling users to record API keys directly in daily notes normalizes plaintext secret persistence in a long-lived memory store. That creates a clear path to credential compromise through prompt leakage, source control commits, local file exposure, archives, and unintended reuse by the agent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This script sends full conversation archives and generated topic summaries to external LLM providers via HTTPS without any explicit user confirmation, opt-in gate, or per-run warning. Although it attempts secret redaction, the redaction is heuristic and incomplete, so private chat content, personal data, internal URLs, business context, or missed credentials can still be disclosed to third-party services.

Ssd 3

Medium
Confidence
84% confidence
Finding
The README explicitly describes preserving long-term memory for structural data such as passwords and archiving conversations for later processing, which creates a real confidentiality risk even if the implementation is local-first. In this context, the danger is amplified because archived transcripts and memory stores can accumulate sensitive data over time, and the summarisation feature may disclose that data to an external LLM provider despite redaction claims that are inherently incomplete for natural-language secrets.

Ssd 3

Medium
Confidence
93% confidence
Finding
The quick-start instructions encourage bulk archiving of all conversations and the security section confirms that summaries are sent to a third-party LLM API, creating a concrete path for large-scale collection and disclosure of user communications. Skill context makes this more dangerous, not less, because the feature is specifically designed for cross-channel persistence and broad contextual retention, so any sensitive content captured in chats can be centralized and externally processed.

Ssd 3

Medium
Confidence
93% confidence
Finding
The file encourages recording personal details such as name, timezone, preferences, channels, and other conversation-derived facts into persistent memory with no minimization boundary. In a memory skill, this is especially dangerous because the feature is specifically designed for long-term retention, increasing privacy exposure and the chance of storing unnecessary personal data.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instruction to archive everything across available sessions/channels promotes wholesale collection rather than selective retention. Because this skill's purpose is persistent cross-session memory and archiving, the context makes broad ingestion more dangerous: it can accumulate unrelated, sensitive, or multi-party data far beyond what is needed.

Ssd 3

High
Confidence
97% confidence
Finding
The archive and summary workflow directs bulk collection and AI processing of all sessions/channels, then recommends scheduled recurring execution. This compounds risk by enabling ongoing surveillance-like retention, secondary processing of personal communications, and long-term exposure of sensitive or third-party data without safeguards.

Ssd 3

High
Confidence
99% confidence
Finding
This skill is specifically designed for persistent long-term memory, which makes instructions to retain credentials and infrastructure details especially dangerous in context. Persisting such data broadens the blast radius: a single compromise of memory files, summaries, archives, or future context windows could expose privileged access and sensitive operational details across sessions.

Ssd 3

High
Confidence
99% confidence
Finding
The daily note guidance explicitly recommends capturing exact secrets and infrastructure details in plain text, which is a direct unsafe-data-retention pattern. Because these notes are intended as input to dream-cycle consolidation and long-term memory, the document effectively promotes systematic collection and propagation of highly sensitive data across multiple files and time horizons.

Session Persistence

Medium
Category
Rogue Agent
Content
cron add --job '<json above>'
```

Or in conversation: "Add a cron job for the nightly dream cycle" and paste
the JSON definition.

## Heartbeat Alternative
Confidence
87% confidence
Finding
Add a cron job for

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.