Back to skill

Security audit

MAMP

Security checks across malware telemetry and agentic risk

Overview

This memory skill is local-only, but it can passively wrap agent methods to record conversations and its current code contradicts parts of its own safety documentation.

Install only after reviewing and constraining auto_record. Prefer explicit add_turn() calls, set a dedicated db_path or MARK_MEMORY_DB location with proper filesystem permissions, avoid storing secrets or regulated data, and verify the published code matches the changelog claims about cwd-only storage and removal of platform_info persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (31)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
else:
                            role = "assistant"
                        try:
                            original = getattr(mod, attr_name)
                            # Create wrapper closure
                            def make_wrapper(orig, r):
                                def wrapper(*args, **kwargs):
Confidence
93% confidence
Finding
original = getattr(mod, attr_name)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if attr_name.startswith("_"):
                            continue
                        # Look for message-sending methods
                        if not callable(getattr(mod, attr_name, None)):
                            continue
                        # Role detection: "user" or "say" → user role, else assistant
                        lower_name = attr_name.lower()
Confidence
90% confidence
Finding
if not callable(getattr(mod, attr_name, None)):

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
for attr_name in dir(mod):
                        if attr_name.startswith("_"):
                            continue
                        top_obj = getattr(mod, attr_name, None)
                        if top_obj is None:
                            continue
                        # Check both the top-level callable AND instances/classes inside it
Confidence
88% confidence
Finding
top_obj = getattr(mod, attr_name, None)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
for sub_name in dir(top_obj):
                                if sub_name.startswith("_"):
                                    continue
                                sub_obj = getattr(top_obj, sub_name, None)
                                if sub_obj is not None and callable(sub_obj):
                                    candidates.append((f"{attr_name}.{sub_name}", sub_obj, top_obj))
                        if not candidates:
Confidence
88% confidence
Finding
sub_obj = getattr(top_obj, sub_name, None)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
for attr_name in dir(mod):
                        if attr_name.startswith("_"):
                            continue
                        top_obj = getattr(mod, attr_name, None)
                        if top_obj is None:
                            continue
                        # Check both the top-level callable AND instances/classes inside it
Confidence
93% confidence
Finding
top_obj = getattr(mod, attr_name, None)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
for sub_name in dir(top_obj):
                                if sub_name.startswith("_"):
                                    continue
                                sub_obj = getattr(top_obj, sub_name, None)
                                if sub_obj is not None and callable(sub_obj):
                                    candidates.append((f"{attr_name}.{sub_name}", sub_obj, top_obj))
                        if not candidates:
Confidence
93% confidence
Finding
sub_obj = getattr(top_obj, sub_name, None)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares only high-level security metadata, but the content clearly indicates environment-variable use and local filesystem read/write behavior. Undeclared capabilities are dangerous because they prevent accurate risk gating by the host platform and can cause agents or users to trust the skill more than they should, especially since it persists plaintext conversation history to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a significant description-behavior mismatch: the skill presents itself as a simple local SQLite memory tool, but the analyzed behavior includes passive interception via monkey-patching, host/environment fingerprinting, persistence of system metadata, and use of fixed external paths and lock files. That mismatch is dangerous because it can lead to silent capture of more data than expected, storage outside the advertised location, and deployment into environments that would have rejected the skill if its full behavior were disclosed.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The import routine claims compatibility validation but only logs a warning when presented with a newer schema and still imports untrusted session data. In a memory skill, this is more dangerous because imported content becomes persistent agent memory, which can enable memory poisoning, corrupted state, or downstream logic failures if newer-format fields are misinterpreted.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill advertises persistent session memory, but the auto-record feature silently monkey-patches loaded modules to intercept outbound messaging. That is a materially different and more sensitive capability than local storage, because it can capture data from unrelated agent flows and persist it without explicit caller action.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Runtime scanning of `sys.modules` and monkey-patching methods is unjustified for a local SQLite memory component and expands its privileges into process-wide behavioral interception. This creates a broad attack surface, risks compatibility breakage, and can capture sensitive strings from any matching callable, not just intended chat sends.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation claims outbound message wrapping, but the wrapper records the first non-empty string argument before calling the original method. That means it may capture prompts, internal parameters, identifiers, or unrelated string inputs from scanned callables, exceeding the documented scope and increasing accidental data collection risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The auto-record feature monkey-patches other loaded modules to capture message content passively, which is a significant capability escalation beyond a normal local memory helper. Because it hooks message-sending methods automatically, it can collect sensitive user inputs, agent outputs, or internal prompts without explicit per-call consent or clear auditability.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code can monkey-patch loaded modules and agent methods to automatically capture outbound content, which materially contradicts the 'SQLite-only local memory' description and expands the trust boundary beyond the local database. In an agent skill, this enables covert interception of user/agent messages from unrelated components without explicit call sites, making sensitive-data collection much more dangerous.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Runtime introspection over sys.modules plus method wrapping is far more powerful than necessary for a local session-memory library and creates an implicit surveillance mechanism inside the host process. Because it can alter behavior of arbitrary loaded modules, it introduces integrity and confidentiality risks, including accidental capture of secrets and hard-to-debug side effects.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest presents the skill as a lightweight local memory store, but the implementation performs environment fingerprinting and persists host-identifying data such as hostname, OS, architecture, and Python executable. This creates a mismatch between stated purpose and actual collection behavior, which can expose infrastructure details useful for profiling or later attacks.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The auto-record feature scans loaded modules and monkey-patches methods to capture message content passively, far beyond a normal explicit memory API. In an agent skill, this is dangerous because it can silently intercept and persist conversations from unrelated components without clear boundaries or consent, increasing the chance of over-collection of sensitive data.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code collects host fingerprinting details unrelated to core session-memory storage, including hostname, container status, architecture, Python version, and executable path. In the context of an agent skill, this broadens the data collected beyond necessity and can leak sensitive environmental information that helps attackers tailor exploitation or map infrastructure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises an auto-record mode that captures conversation turns automatically, but it does not warn about privacy, consent, retention, or handling of sensitive data. For a memory component intended to persist AI conversations across sessions, this omission can lead integrators to deploy silent logging of user content, credentials, personal data, or confidential business information without appropriate notice or safeguards.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation guidance is overly broad for a persistence skill that stores conversation history, which increases the chance the agent will activate it in contexts involving sensitive personal, financial, or regulated data without clear consent boundaries. In this skill's context, broad triggers are more dangerous because the system is specifically designed to retain and later retrieve user-provided information across sessions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This method persists externally supplied JSON directly into the local memory database without any confirmation, trust check, or quarantine workflow. In the context of an AI memory system, silently importing untrusted conversation history can poison future retrievals, insert deceptive instructions into agent memory, and create persistent integrity issues.

Missing User Warnings

High
Confidence
98% confidence
Finding
Automatic passive capture is enabled in code without any user-facing warning, confirmation, or runtime notice beyond constructor configuration. For a memory skill handling conversation content, silent recording materially increases privacy risk because users and integrators may not realize unrelated messages are being intercepted and persisted.

Missing User Warnings

High
Confidence
98% confidence
Finding
Passive auto-record stores message content by wrapping message-sending methods without any user-facing warning, consent gate, or explicit invocation at the call site. In a memory skill, silent recording is especially dangerous because the captured content may include secrets, private user data, system prompts, or regulated information that callers did not intend to persist.

Missing User Warnings

High
Confidence
98% confidence
Finding
Automatic passive memory capture records message content without any user-facing notice or confirmation, and does so by wrapping detected methods rather than requiring explicit add_turn() calls. In a memory skill, that means sensitive prompts, responses, and incidental string arguments may be persisted silently, which is a significant privacy and security issue.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Platform-identifying data is collected automatically and later persisted without any obvious user-facing notice or local disclosure in code flow. Silent collection of environmental metadata in a memory skill undermines transparency and can surprise operators who expect only conversation memory to be stored.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.