Memory Manager

Security checks across malware telemetry and agentic risk

Overview

This memory skill is not clearly malicious, but it handles private memories, API keys, GitHub sync, and persistent shell changes with enough scoping and credential-handling problems that users should review it carefully before installing.

Install only if you are comfortable with a memory tool that can read and write local memory files, index private notes, call external embedding providers, and sync memory content through GitHub. Prefer manual install over curl-to-bash, use --no-shell-rc, avoid storing API keys in shell startup files, use a private dedicated repository, review the remote URL before syncing, and do not store secrets or highly sensitive personal data in the memory repository.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (53)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if token and "https://github.com" in clone_url: clone_url = clone_url.replace("https://", f"https://{token}@") os.makedirs(os.path.dirname(repo_dir) or ".", exist_ok=True) subprocess.run(["git", "clone", clone_url, repo_dir], check=True) print(f"✅ 克隆完成: {repo_dir}") else: print(f"✅ 仓库已存在，跳过克隆: {repo_dir}")
Confidence: 92% confidence
Finding: subprocess.run(["git", "clone", clone_url, repo_dir], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: os.chmod(cred_file, 0o600) except Exception: pass subprocess.run( ["git", "config", "credential.helper", f"store --file {cred_file}"], cwd=repo_dir, check=True,
Confidence: 95% confidence
Finding: subprocess.run( ["git", "config", "credential.helper", f"store --file {cred_file}"], cwd=repo_dir, check=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: else: print(f"⬇️ 克隆仓库: {repo_url}") os.makedirs(os.path.dirname(target_dir) or ".", exist_ok=True) subprocess.run(["git", "clone", repo_url, target_dir], check=True) print(f"✅ 克隆完成: {target_dir}") else: # 本地初始化
Confidence: 80% confidence
Finding: subprocess.run(["git", "clone", repo_url, target_dir], check=True)

Tainted flow: 'index_path' from os.environ.get (line 388, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: if os.path.exists(user_dir): content = build_user_index(base_dir, uid) index_path = os.path.join(user_dir, "INDEX.md") with open(index_path, "w", encoding="utf-8") as f: f.write(content) print(f"✅ 个人索引已更新: users/{uid}/INDEX.md") else:
Confidence: 94% confidence
Finding: with open(index_path, "w", encoding="utf-8") as f:

Tainted flow: 'clean_url' from os.environ.get (line 482, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: cwd=repo_dir, check=True, ) subprocess.run( ["git", "remote", "add", "origin", clean_url], cwd=repo_dir, check=True, )
Confidence: 86% confidence
Finding: subprocess.run( ["git", "remote", "add", "origin", clean_url], cwd=repo_dir, check=True, )

Tainted flow: 'clone_url' from os.environ.get (line 560, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: if token and "https://github.com" in clone_url: clone_url = clone_url.replace("https://", f"https://{token}@") os.makedirs(os.path.dirname(repo_dir) or ".", exist_ok=True) subprocess.run(["git", "clone", clone_url, repo_dir], check=True) print(f"✅ 克隆完成: {repo_dir}") else: print(f"✅ 仓库已存在，跳过克隆: {repo_dir}")
Confidence: 95% confidence
Finding: subprocess.run(["git", "clone", clone_url, repo_dir], check=True)

Tainted flow: 'stats_path' from os.environ.get (line 341, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: user_report += f"- {s}\n" else: user_report += "- ✅ 状态良好\n" with open(stats_path, "w", encoding="utf-8") as f: f.write(user_report) print(f"\n✅ 个人统计已写入: users/{uid}/STATS.md")
Confidence: 95% confidence
Finding: with open(stats_path, "w", encoding="utf-8") as f:

Tainted flow: 'repo_url' from os.environ.get (line 370, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: else: print(f"⬇️ 克隆仓库: {repo_url}") os.makedirs(os.path.dirname(target_dir) or ".", exist_ok=True) subprocess.run(["git", "clone", repo_url, target_dir], check=True) print(f"✅ 克隆完成: {target_dir}") else: # 本地初始化
Confidence: 87% confidence
Finding: subprocess.run(["git", "clone", repo_url, target_dir], check=True)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill description materially understates the operational scope: beyond memory management, it installs software, modifies shell RC files, persists configuration, performs Git sync/merge operations, and accesses multi-user private data. That mismatch can mislead users or orchestrators into granting trust to a skill that has broader persistence, code-execution, and data-access behavior than its headline description suggests.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The guide states `private` memory is visible only to the user and only on the local device, but the sync policy later says L2/L3 memory is automatically synchronized across devices without restating or enforcing the private restriction. In a memory-management skill handling potentially sensitive personal notes, this ambiguity can lead to private data being propagated to other devices or repositories contrary to the declared privacy model.

Intent-Code Divergence

Medium

Confidence: 76% confidence
Finding: The documented uid-resolution order conflicts with the provided sample code, which changes how a user's identity is selected in a multi-user memory store. In this context, identity confusion can cause the agent to read or write another user's private memory, creating confidentiality and integrity risks rather than just a documentation defect.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The manifest says the user ID comes from MM_UID, but the documented code reads MEMORY_USER_ID instead. In a system handling per-user private memories, inconsistent identity sources can cause fallback to scanning all users or selecting the wrong account, leading to accidental exposure or cross-user writes.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The installer collects an API key interactively and persists it into the user's shell startup file, which expands its behavior from setup into long-term credential management. Storing secrets in shell rc files increases exposure to accidental disclosure through backups, dotfile syncing, shared accounts, shell history mishandling, and later inspection by unrelated tools.

Context-Inappropriate Capability

Low

Confidence: 81% confidence
Finding: The installer appends a global alias to the user's shell configuration, causing persistent modification of the interactive shell environment outside the core repository setup. While lower risk than secret handling, silently changing shell behavior can create unexpected command conflicts and establishes a persistence mechanism that users may not notice.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill exposes broad filesystem lifecycle operations such as creating, archiving, and deleting markdown files recursively under a configurable base directory, which materially exceeds narrow semantic-search memory management. In an agent context, these commands can cause unintended mass modification or deletion of local files if the base directory is misconfigured or influenced, increasing blast radius beyond the manifest's core purpose.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill reads multiple identity and credential sources, including OPENAI_API_KEY, SILICONFLOW_API_KEY, ZHIPU_API_KEY, USER/USERNAME, MM_UID, and config files, even though much of this data is not required for every command. In an agent environment, broad secret and identity access expands sensitive-data exposure and creates opportunities for accidental leakage to logs, downstream modules, or external model providers.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The documented sync command supports GitHub pull/push for user memory data, which creates an outbound data-transfer channel beyond local memory management. In a memory skill, that is security-relevant because memories may contain sensitive personal data, and the docs do not state safeguards such as consent, repository restrictions, encryption, or redaction before remote sync.

Intent-Code Divergence

Medium

Confidence: 79% confidence
Finding: The security section claims strict privacy isolation for private memories, but the search interface documents scopes of private, shared, and all without clarifying access-control boundaries. That inconsistency can mislead users about who can access what data and increases the risk of unintended cross-user or shared-data exposure in a multi-user memory system.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The helper `_get_api_key` accepts `ANTHROPIC_API_KEY` as a fallback for embedding providers that are unrelated to Anthropic. This can cause an unrelated secret to be silently reused for outbound requests, creating cross-service credential misuse and increasing the chance of accidental secret exposure or failed requests against third-party endpoints.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The search method builds uid/scope/level filters but never applies them to the LanceDB query, so callers may receive results outside the intended tenant, scope, or memory level. In a memory-management skill handling cross-device and per-user data, this can leak other users' memories or data partitions and break isolation guarantees.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The CLI help and docstring explicitly state that --undo can roll back the most recent compression/archive/upgrade operation, but the implementation only rewrites files that still exist at their original paths. Archived L1 files are moved out of users/<uid>/daily, and undo_snapshot skips restoration when the original path no longer exists, so archive operations are not actually reversible as advertised. In a memory-management skill, this creates a real integrity and recovery risk because operators may delete or move memory assuming rollback is safe when it is not.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The code comments and user-facing behavior imply that snapshots protect compression, archiving, and upgrades, but snapshots are only persisted when compressed_count > 0. An upgrade-only run can modify the weekly memory file via upgrade_repeated_themes without ever calling create_snapshot, leaving no rollback point despite the tool advertising snapshot-backed undo. In this skill context, that is dangerous because it silently weakens recovery guarantees for user memory data and can cause irreversible state changes.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: When scanning shared memory files, the code yields owner='shared', but later persists rows with row_uid set to the caller-supplied uid instead of the shared owner. This breaks tenant separation and the shared/private data model: shared embeddings become duplicated or misattributed per caller, which can corrupt authorization assumptions, search results, retention, and deletion behavior across users.

Intent-Code Divergence

Medium

Confidence: 79% confidence
Finding: The relation-building loop uses the wrong membership check: it tests whether target_cid is present in its own related list instead of checking for source_cid. As a result, duplicate relations can accumulate and the stored graph can become inconsistent, which undermines integrity of memory linkage and any downstream logic that relies on related_ids for ranking, recall, or policy decisions.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The code claims to ensure `base_dir` stays in an expected range, but it only blocks a few prefixes and does not enforce that operations remain inside a specific repository root. This allows attackers to point the script at arbitrary non-blocked directories and read from or write index files within unintended locations, which is especially risky in a memory-management skill that processes potentially sensitive user and shared data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal