Back to skill

Security audit

Real Memory Continuity

Security checks across malware telemetry and agentic risk

Overview

This memory skill stores conversation-derived notes locally for continuity, which is sensitive but matches its stated purpose and shows no evidence of exfiltration or destructive behavior.

Install only if you want the agent to keep local memory across sessions. Avoid using it with highly sensitive conversations unless you know where the memory files are stored, can review them, and have a way to delete or disable them when needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill describes use of environment variables and writing persistent local files, but does not declare corresponding permissions. That creates a transparency and governance gap: a host or reviewer may believe the skill is read-only while it can persist conversation-derived state and consume runtime configuration. In a memory-oriented skill, hidden file-write capability is especially sensitive because it can store user data across sessions without clear approval boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior promises asynchronous reflection, confidence-scored memory extraction, and identity integration, but the finding indicates the actual implementation instead performs manual input collection and local file writes without delivering the claimed controls or extraction logic. This mismatch is dangerous because users may trust the skill with sensitive conversational data under false assumptions about how it is processed, stored, and surfaced later. Security review and informed consent both depend on accurate capability descriptions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly promotes persistent memory files and post-session reflection of conversation content, yet provides no user-facing warning that session-derived data may be stored. This creates a privacy and consent issue: users may disclose sensitive information without realizing it will persist beyond the session and be reused later. Because the skill is specifically designed to build long-term memory and relationship context, the risk is elevated relative to ordinary transient tooling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The heartbeat integration documents automatic reflection after idle time, which means processing and writing artifacts can occur after the active conversation has ended and without a fresh user prompt. That is dangerous because it reduces user awareness and control over when sensitive data is analyzed and persisted, increasing the chance of unnoticed retention of private or regulated content. Automatic background execution makes the privacy risk more acute than a purely manual command.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persists session-derived questions, identity notes, and reflection logs to disk without clear user notice or consent, and these artifacts may contain sensitive conversation content. In a continuity/memory skill, that context makes the issue more dangerous because retention is the feature, so users are more likely to expose private information that is then stored across sessions.

Ssd 3

Medium
Confidence
88% confidence
Finding
The design intentionally retains and resurfaces conversation-derived data across sessions, which creates a privacy and data-retention risk if sensitive user content is captured without strong consent and controls. In this skill's context, the persistence is core behavior, so the danger is not accidental edge-case storage but routine accumulation of potentially personal data.

Ssd 3

Medium
Confidence
86% confidence
Finding
The workflow description explicitly directs loading transcripts, analyzing them, and saving derived reflection data for future reuse, reinforcing a persistent memory pipeline over user conversations. That is risky in a memory skill because it normalizes long-term storage of user-derived content, which can expose private information if the host system is shared, compromised, or poorly governed.

Ssd 3

Medium
Confidence
94% confidence
Finding
The reflect command reads session content and writes analysis results to persistent logs, creating a concrete path for ongoing retention of conversation-derived data. Because this skill is explicitly designed to revisit those artifacts later, the stored data can accumulate and increase privacy exposure over time even without any external attacker sophistication.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.