Back to skill

Security audit

Install memex — cross-AI memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local memory installer, but it needs review because it runs an unpinned remote installer and persistently indexes private chat history across tools.

Install only if you want a persistent local database of your AI and optional chat histories. Prefer the manual npm path or inspect the installer before running it, review MCP config diffs, consider declining the daemon or auto-context hook, and import Telegram or URL content only when you understand what will be stored and exposed to future agents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (11)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The examples explicitly claim the skill always asks for confirmation before any write action, but the URL-save flow proceeds directly to `memex_store_document(...)` without showing consent. That inconsistency is dangerous because users and downstream agents may rely on the documented safety guarantee and unintentionally store fetched content or metadata without an explicit approval step.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The README explicitly promotes broad natural-language triggers like 'add memory to my AI' and similar phrasing, increasing the chance the skill auto-invokes on ordinary conversational requests rather than narrowly scoped installation intent. In a skill that performs discovery, installs software, edits MCP configuration, and may run shell commands, over-broad invocation materially raises the risk of unintended execution flows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises a hosted 'curl | bash' installation path as the fast/default option without a strong warning that this executes arbitrary remote shell code with the user's privileges. Because the skill is meant to be agent-driven, this normalizes a risky pattern and can cause users to approve execution of code they have not inspected.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The examples promote automatic indexing and capture of Claude, Cowork, Cursor, and Telegram exports, but they do not provide a clear privacy warning about storing potentially sensitive conversations verbatim in a shared local corpus. In a memory/archival skill, this omission materially increases the risk of users enabling broad collection without understanding the sensitivity, retention, and cross-client exposure of their data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples recommend a hosted installer script and describe profile/config modifications, daemon setup, hooks, and MCP wiring without an explicit warning about executing remote code and making persistent system changes. This is risky because users may consent to a convenience flow without understanding that it grants a remote script broad ability to alter their environment and future session behavior.

Ssd 3

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to enumerate local conversation-storage paths and summarize what data sources are present before installation. Even if intended as discovery, this unnecessarily exposes sensitive local application usage and private data locations to the agent and potentially to logs or chat history.

Ssd 3

High
Confidence
96% confidence
Finding
The skill is explicitly designed to ingest and persist private conversations, including Telegram, family, and work chats, and to proactively solicit import of existing chat-history files from disk. This creates a large concentration of sensitive data and materially increases privacy and misuse risk if consent is ambiguous, access controls are weak, or the local corpus is later exposed.

Session Persistence

Medium
Category
Rogue Agent
Content
## Install the skill

```sh
mkdir -p ~/.claude/skills/install-memex
curl -fsSL https://raw.githubusercontent.com/parallelclaw/memex-mvp/main/skills/install-memex/SKILL.md \
  -o ~/.claude/skills/install-memex/SKILL.md
```
Confidence
79% confidence
Finding
mkdir -p ~/.claude/skills/install-memex curl -fsSL https://raw.githubusercontent.com/parallelclaw/memex-mvp/main/skills/install-memex/SKILL.md \ -o ~/.claude/skills/install-memex/SKILL.md ``` Or, i

External Script Fetching

High
Category
Supply Chain
Content
After you drop the skill into your agent (`~/.claude/skills/` for Claude Code, or your client's equivalent), saying **"install memex"** triggers a guided installation:

1. **Discovery** — read-only checks for which MCP client you're using and what AI data already exists on your machine
2. **Fast path (v1.1+)** — `curl -fsSL https://memex.parallelclaw.ai/install.sh | bash`: one hosted bash script does npm install (with EACCES auto-fix to `~/.npm-global`), daemon setup, v0.8 auto-context hook, history backfill, and `claude mcp add memex` if Claude Code CLI is on PATH. Idempotent.
3. **Fallback: manual five-step** — if curl fails, the user declines, or the agent is inside a GUI client (Cursor/Cline/Continue/Zed) where the MCP config still needs editing: `npm install -g memex-mvp` → MCP config merge → `memex-sync install` → `memex-sync scan`.
4. **MCP config merge** (only needed for GUI clients) — adds a single absolute-path `command` entry into your client's `mcpServers` config. Never overwrites your other servers.
5. **Restart hint + verification commands** — including the v0.7+ CLI fallback (`memex overview`, `memex search "foo"`) so you can verify memex works even if MCP didn't wire up cleanly.
Confidence
98% confidence
Finding
curl -fsSL https://memex.parallelclaw.ai/install.sh | bash

External Script Fetching

Low
Category
Supply Chain
Content
>
> After install, memex will auto-index conversations from: **Claude Code, Cowork, Cursor**. v0.10+ also auto-detects Telegram Desktop exports — when you export a chat, memex stages it and I'll ask which to import (privacy-first per-chat consent).
>
> Best path is the curl one-liner — does npm install (auto-fixes EACCES), daemon, auto-context hook, and history backfill in ~60 seconds. Want me to run:
>
> ```
> curl -fsSL https://memex.parallelclaw.ai/install.sh | bash
Confidence
90% confidence
Finding
curl one-liner — does npm install (auto-fixes EACCES), daemon, auto-context hook, and history backfill in ~60 seconds. Want me to run: > > ``` > curl -fsSL https://memex.parallelclaw.ai/install.sh | b

Chaining Abuse

High
Category
Tool Misuse
Content
> Best path is the curl one-liner — does npm install (auto-fixes EACCES), daemon, auto-context hook, and history backfill in ~60 seconds. Want me to run:
>
> ```
> curl -fsSL https://memex.parallelclaw.ai/install.sh | bash
> ```
>
> **User:** yes
Confidence
97% confidence
Finding
| bash

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.