Back to skill

Security audit

SEEM

Security checks across malware telemetry and agentic risk

Overview

SEEM is a coherent conversation-memory skill, but it stores user-provided memories locally and sends text to configured model providers.

Install only if you want a persistent memory layer. Use dedicated API keys, set explicit LLM_BASE_URL and MM_ENCODER_BASE_URL values, avoid storing secrets or regulated data unless those providers and local storage are acceptable, and clear the local data directory when retained memory is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises capabilities that access environment variables, local files, and external network services, but does not declare permissions or provide an explicit trust boundary. In a memory skill that persists conversation data and uses remote LLM/embedding APIs, this omission is security-relevant because operators cannot accurately assess what data may be read or transmitted.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill serializes raw memories, chunk contents, graph data, and multiple embedding stores to local disk, which materially increases the persistence and exposure of sensitive conversation data. In a memory skill handling multi-turn user conversations, this creates a real confidentiality risk if the host is shared, backups are taken, files are exfiltrated, or retention exceeds user expectations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The BM25 retriever performs automatic NLTK downloads at runtime, creating undisclosed network egress during normal local retrieval operations. In a memory skill that may process sensitive conversations, this expands the attack surface, breaks offline expectations, and can violate least-privilege or restricted-environment assumptions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented clear command performs destructive deletion of persisted memory data, yet the skill text does not warn about irrecoverable data loss or recommend backups/confirmation safeguards. For an episodic memory system, accidental invocation could erase conversation history and derived fact graphs, causing integrity and availability loss.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill stores and retrieves conversation memories and explicitly depends on external LLM and embedding services, but the description lacks a privacy warning that user conversations, entities, and facts may be persisted locally and transmitted to third-party APIs. In this context, the omission is more dangerous because the skill’s core purpose is long-term retention and semantic processing of potentially sensitive conversational data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends conversation content to external LLM/embedding services during storage, retrieval preprocessing, and fact extraction, but this file provides no consent, disclosure, or gating before transmission. Because the skill is specifically designed to ingest user conversations and possibly images, undisclosed third-party data transfer meaningfully raises privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The persistence layer writes raw chunk_store contents, memories, graph relationships, facts, and embeddings to disk without any visible warning, retention policy, or protection mechanism. For a conversational memory system, this expands the attack surface for sensitive user content and can lead to silent long-term retention that operators or users may not expect.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The generate method sends system and user prompts to an external API without any in-file consent, warning, or data-handling guardrails. Because this skill is an episodic memory system, prompts may contain highly sensitive conversation history, increasing privacy and compliance risk if transmitted to third-party services unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The embedding encoder transmits raw text to an external service with no visible notice or filtering in this file. Since embeddings may be generated from stored memories and conversation content, this can leak sensitive personal or proprietary information to a remote provider.

Missing User Warnings

Low
Confidence
89% confidence
Finding
Automatic NLTK downloads cause silent network activity without user awareness or administrator approval. While the downloaded data is not the conversation content itself, hidden egress and runtime dependency fetching can violate policy, reduce reproducibility, and create operational risk in restricted environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This tool is explicitly designed to store and recall conversation memories, but its configuration hard-codes external LLM and embedding endpoints and the store/recall flows pass user-provided text into the SEEM backend without any disclosure, consent prompt, or minimization visible in this file. In a memory skill, users are especially likely to submit sensitive conversation content, so silent transmission to third-party services creates a real privacy and data-governance risk even if the behavior is intended.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill intentionally stores raw observations, reformats them into summaries, facts, and recall results, and can return original utterances and associated content in plain language. In a memory skill this is partly expected functionality, but the breadth of storage and recall increases the chance of overexposing sensitive user-provided content to later prompts, callers, or anyone with filesystem access.

External Transmission

Medium
Category
Data Exfiltration
Content
"""Load configuration from environment variables"""
    return SEEMConfig(
        llm_api_key=os.getenv("LLM_API_KEY", ""),
        llm_base_url=os.getenv("LLM_BASE_URL", "https://api.xiaomimimo.com/v1"),
        llm_model=os.getenv("LLM_MODEL", "mimo-v2-flash"),
        mm_encoder_api_key=os.getenv("MM_ENCODER_API_KEY", ""),
        mm_encoder_base_url=os.getenv("MM_ENCODER_BASE_URL", "https://api.siliconflow.cn/v1"),
Confidence
86% confidence
Finding
https://api.xiaomimimo.com/

External Transmission

Medium
Category
Data Exfiltration
Content
llm_base_url=os.getenv("LLM_BASE_URL", "https://api.xiaomimimo.com/v1"),
        llm_model=os.getenv("LLM_MODEL", "mimo-v2-flash"),
        mm_encoder_api_key=os.getenv("MM_ENCODER_API_KEY", ""),
        mm_encoder_base_url=os.getenv("MM_ENCODER_BASE_URL", "https://api.siliconflow.cn/v1"),
        mm_encoder_model=os.getenv("MM_ENCODER_MODEL", "Qwen/Qwen3-Embedding-8B"),
        enable_integration=True,
        enable_fact_graph=True,
Confidence
86% confidence
Finding
https://api.siliconflow.cn/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.