Back to skill

Security audit

Persistent Memory — Local Markdown Context

Security checks across malware telemetry and agentic risk

Overview

This is a transparent local-memory skill that stores and reads user-approved Markdown notes, with real privacy considerations but no hidden execution, network transfer, or deceptive behavior found.

Install only if you want compatible agents on the same machine or filesystem to share local Markdown memory. Keep sensitive secrets out of the memory folder, use explicit commands like load memory or memory status, and review proposed writes, archive/delete actions, and any loaded memory summaries before relying on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger examples for loading memory include natural-language phrases like 'what do you know about me', which can plausibly appear in ordinary conversation and may cause the skill to activate unexpectedly. Because activation leads to reading local persistent files, an unintended match could disclose personal context without the user clearly invoking the memory system.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The on-demand loading condition says the conversation 'matches an entry in _index.md', but does not define strict matching rules or boundaries. That ambiguity can cause overbroad retrieval of unrelated memory files, increasing the chance of unnecessary exposure of stored personal or project information.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Save triggers like 'remember this', 'save this', and 'update memory' are broad enough to occur during normal dialogue, especially in multi-step assistant interactions. Even though the skill requires confirmation before writing, unintended activation can still prompt the agent to collect and propose sensitive material for persistence, which raises privacy and data-minimization concerns.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The delete trigger includes generic phrasing like 'remove file', which may overlap with ordinary requests unrelated to this memory system. While the skill's archive-first and confirmation requirements reduce severity, accidental activation of a destructive workflow still creates risk of confusing or unsafe file handling proposals around persisted user data.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger 'clean up memory' is ambiguous and can resemble normal conversational requests about summarization, optimization, or deleting context. Because the associated workflow scans stored memory and proposes archive/delete actions, accidental activation could expose file inventories and lead users toward unintended retention changes.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very broad natural-language phrases such as 'what do you know about me' and '我的背景', which can plausibly appear in ordinary conversation without an explicit intent to access local memory. In a skill that reads cross-session personal context from local files, accidental activation can expose stored personal data to the model and influence the response with information the user did not intend to load in that moment.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The on-demand loading rule says to load files when 'the current topic matches entries in _index.md', but it does not define a strict matching policy or require user confirmation. Because the indexed summaries may contain personal or project-sensitive topics, a loose semantic match could cause the agent to read unrelated memory files based on incidental topic overlap, unnecessarily expanding data exposure.

Session Persistence

Medium
Category
Rogue Agent
Content
- Each **compatible agent** can discover this skill or has an equivalent fallback instruction.
- The agents use the **same local filesystem** and resolve `~/.persistent-memory/` to the same location.
- The active user has read/write permission for that location.

Two agents do not automatically share every historical conversation. They share only memory files saved into this folder and only when the conditions above hold.
Confidence
76% confidence
Finding
write permission for that location. Two agents do not automatically share every historical conversation. They share only memory files saved into this folder and only when the conditions above hold.

Session Persistence

Medium
Category
Rogue Agent
Content
- each agent can discover this skill or an equivalent fallback instruction;
- the agents use the same local filesystem and the same `~/.persistent-memory/` path;
- the active user has permission to read and write that path.

Platform memory may coexist. Persistent Memory does not import historical chats or replace an agent's built-in memory.
Confidence
91% confidence
Finding
write that path. Platform memory may coexist. Persistent Memory does not import historical chats or replace an agent's built-in memory. ## Memory Location and Scope `~/.persistent-memory/` ```text

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.