Security audit

Lucid Dreamer

Security checks across malware telemetry and agentic risk

Overview

Lucid Dreamer is a coherent memory-maintenance skill, but it can automatically edit and locally commit long-term memory even though parts of the documentation imply review-first or default-off behavior.

Install only if you want a scheduled agent that can read personal/workspace memory notes and mutate them. Before enabling cron, review prompts/nightly-review.md and prompts/session-debrief.md, consider disabling or removing auto-commit and direct-write steps, keep aggressiveCleanup disabled unless you accept automatic deletions, and do not run it on markdown workspaces containing plaintext secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly performs file reads and writes at runtime, but those capabilities are not declared as permissions in the skill manifest. That mismatch reduces transparency and weakens enforcement or review controls, making it easier for operators to approve a skill without realizing it modifies workspace files on a schedule.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documented description presents the skill mainly as a review and suggestion system, but the behavior summary indicates broader stateful modification, including restructuring memory files and maintaining persistent history. In a nightly unattended job, this mismatch is dangerous because users may consent to analysis while unintentionally authorizing durable rewrites or migrations of long-term memory.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The prompt authorizes the agent to run shell commands and create git commits directly in the workspace, which moves the skill from analysis into autonomous code/content modification. In a nightly unattended cron context, this creates meaningful risk of unintended repository changes, destructive edits, or abuse if note content or workspace state is adversarially influenced.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The prompt instructs the agent to execute a local Python script, introducing arbitrary code execution beyond simple markdown review. Even if the script is intended for trend analysis, calling external code in an automated nightly process expands the attack surface and can execute unexpected behavior if the script or workspace has been modified.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly states that the optional session debrief 'write[s] key decisions/facts directly to memory' and 'write[s] them directly into memory without generating a review report,' which means data-modifying behavior can occur before human review. In a memory-management skill, this is security-relevant because an LLM can persist hallucinations, prompt-injected content from notes, or sensitive data into long-term memory, making later sessions trust contaminated state.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrase "auto memory" is ambiguous and broad, so ordinary user requests about memory behavior could unintentionally match it. In this skill's context, accidental activation is more dangerous because the system reads sensitive notes and can persist changes to memory files without interactive review at execution time.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrase "auto memory" is ambiguous and broad, so ordinary user requests about memory behavior could unintentionally match it. In this skill's context, accidental activation is more dangerous because the system reads sensitive notes and can persist changes to memory files without interactive review at execution time.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The aggressive cleanup rules authorize destructive memory deletions based on natural-language signals like 'done', 'removed', or 'no longer needed' across recent notes, which are inherently ambiguous and context-sensitive. In a memory-maintenance skill, this is more dangerous because the system is explicitly empowered to modify long-term memory automatically; a false positive can erase important project or operational facts and propagate incorrect state into future agent behavior.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The prompt permits direct edits to long-term memory files and immediate git commits without a confirmation checkpoint. Because this skill is designed to run automatically, mistaken inferences, prompt injection in notes, or ambiguous evidence can be persisted as authoritative memory with no human review before commit.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Aggressive cleanup authorizes deletion of memory entries and committing those deletions based on pattern-matched closure signals from recent notes. In an unattended memory-maintenance skill, this is dangerous because ambiguous language, manipulated notes, or false positives can erase important historical context and make rollback dependent on git recovery after the fact.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The prompt explicitly instructs the agent to write or append to persistent memory files, but it does not require any user confirmation, dry-run mode, or visible notice before modifying stored data. Even though it says to be conservative and append-only in many cases, this still authorizes autonomous state changes to long-term memory, which can cause integrity issues, unwanted retention, or accidental pollution of records.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The prompt explicitly instructs the agent to directly edit and even create persistent memory files, but it provides no user-facing notice, confirmation step, or approval boundary before modifying repository state. In a memory-maintenance skill this behavior is functional, but it is still risky because a mistaken extraction or prompt-manipulated daily note could silently alter long-term memory and mislead future agent behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to run git add and git commit automatically, which creates durable repository history without explicit user consent at the time of execution. This increases risk because incorrect or adversarially induced memory changes become legitimized in version history and may be propagated, audited as intentional, or trigger downstream automation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.