Continuity Framework

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it asks an agent to keep long-lived local memories and relationship or identity inferences from conversations without enough user control.

Install only if you want an agent to retain and resurface local memories from prior conversations. Keep the memory directory private, avoid feeding sensitive transcripts or secrets, leave heartbeat reflection disabled unless you explicitly want automatic post-session processing, and periodically review or delete the generated memory files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documents use of environment variables and persistent file writes, but it does not declare permissions or clearly scope those capabilities. Hidden or undeclared access to filesystem state and configuration increases the risk of unauthorized data persistence, unexpected modification of local memory files, and operator misunderstanding about what the skill can do.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 82% confidence
Finding: The documented behavior goes beyond the stated purpose by introducing broader CLI interactions and persistent local file management not clearly disclosed in the description. This mismatch is dangerous because users and orchestrators may authorize the skill for benign reflection while it also stores, modifies, or accepts additional inputs in ways they did not expect.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill is explicitly designed to store structured memories, relationship data, identity updates, and follow-up questions derived from prior conversations, but it does not warn the user that their conversation data may be retained and reused later. This creates a privacy and consent risk, especially because the stored data includes inferred relationship and identity information that may be sensitive or inaccurate.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The heartbeat integration describes automatic post-session reflection after idle time, meaning the system may continue processing and persisting conversation data after the user believes the session has ended. This is particularly risky because it happens asynchronously and without an explicit warning or consent checkpoint, making silent background retention more likely.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The framework explicitly promotes persistent storage of user-related experiences, preferences, relationship dynamics, and background reflection, but provides no indication of notice, consent, retention limits, or privacy controls. In a memory-oriented skill, this increases the risk of collecting and reusing sensitive personal data in ways users do not expect, especially when memories are enriched asynchronously after the conversation ends.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script reads a session transcript and persists derived analysis to local reflection artifacts without any explicit consent flow, warning, or data-minimization control. In a continuity/memory skill, transcripts can contain passwords, API keys, health information, or other sensitive conversation data that may later be retained and resurfaced unexpectedly.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The tool stores questions, identity notes, and reflections in a configurable memory directory but does not tell the user where that personal data will be written. In this skill context, the whole purpose is long-term memory integration, which makes undisclosed storage location and persistence semantics more dangerous because users may not realize sensitive profile data is accumulating on disk.

Ssd 3

Medium

Confidence: 96% confidence
Finding: This skill is specifically designed to extract, persist, and later resurface memories, identity updates, and follow-up questions from prior sessions. That creates a genuine privacy/security risk because sensitive user-provided data can be captured into durable memory files and reflected back in later sessions, increasing exposure beyond the original conversation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal