Memory Workflow

Security checks across malware telemetry and agentic risk

Overview

This memory skill is purpose-aligned but should be reviewed because it installs ongoing cron automation and uses broad local persistence for user memory.

Install only if you intentionally want local long-term assistant memory and a recurring cron job. Before installing, review the crontab behavior, avoid storing secrets or sensitive account/health/financial details, and consider changing the config parsing and weekly cleanup behavior so they cannot execute arbitrary shell code or delete unrelated notes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documents execution of shell scripts and cron-based automation but does not declare corresponding permissions or clearly scope those capabilities. This is dangerous because it hides system-modifying behavior from the permission model and can cause users or hosts to grant trust without realizing the skill will execute commands and alter scheduled tasks.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented behavior materially diverges from the declared purpose: it modifies crontab, retains persistent conversation data, and may delete history files, while some claimed features are not actually implemented. This mismatch is dangerous because users may enable a 'memory helper' expecting benign functionality but instead permit unattended persistence, scheduled execution, and data deletion they did not meaningfully consent to.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The script tells the user the daily summary will run at the configured hour, but the installed cron entry is actually `*/1 * * * *`, which executes every minute. This mismatch can cause excessive automated execution, unexpected log growth, repeated processing, and trust issues because the script performs a far more frequent persistent action than disclosed.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill describes automatic creation and updating of memory files plus cron job installation without an explicit warning about persistent storage, background execution, or system modification. This is dangerous because users may unknowingly store sensitive conversation data on disk and allow recurring tasks that continue operating after the initial interaction.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The installer modifies the user's crontab and installs a persistent scheduled task without clear up-front disclosure or confirmation. Because cron creates ongoing execution beyond the install session, undisclosed persistence is security-relevant and especially sensitive in an agent skill context where users may not expect system-level changes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script executes `source "$CONFIG_FILE"` on a file located inside the workspace, which causes arbitrary shell code in that file to run with the privileges of the weekly review job. Because this script is designed for automated execution via cron and uses a root-owned workspace path, any attacker who can influence that config file can achieve command execution during the scheduled run.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill instructs persistent collection and reuse of conversation details in files and even supports reading them on every message. In this context, the capability is more dangerous because the purpose is explicitly long-term memory, so it can accumulate sensitive personal, behavioral, or operational data beyond what users expect from a transient assistant session.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The documentation tells the assistant to ask before storing new user preferences and then immediately persist them for future use. Although consent is mentioned, this remains risky because preferences and settings can still include sensitive personal data, and the skill does not define boundaries, minimization rules, or revocation/deletion safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal